This bug was submitted on an Ubuntu Jammy system with FIPS enabled. Here is the Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773 Pull Request submitted: https://github.com/dovecot/core/pull/241 [ Impact ] * When one enables FIPS mode on a Jammy system and then attempts to use Dovecot to create an encrypted mailbox, the module returns a invalid salt length error. * FIPS mode requires a 16 byte salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt. The solution is to modify Dovecot to request 16 bytes of salt. [ Test Plan ] * Install Dovecot on the system o sudo apt install dovecot-auth-lua dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot- solr dovecot-sqlite dovecot-submissiond * Enable mailbox encryption. o Add /etc/dovecot/conf.d//mail-crypt.conf to enable mailbox encryption: mail_location = mbox:~/mail:INBOX=/var/mail/%u listen = * mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version=2 } mail_attribute_dict = file:%h/Maildir/dovecot-attributes imap_metadata = yes * Issue the following command to create an encrypted mailbox: o sudo doveadm -o plugin/ mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u * Verify that no error occurs. * Enable FIPS on a Jammy system. o sudo pro attach o sudo pro enable fips-updates o sudo reboot * Reboot * Delete the mailbox o rm -rf ~/mail * Issue the following command to create an encrypted mailbox: o sudo doveadm -o plugin/ mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u <username> * Verify that an error occurs. * Update Dovecot to the fixed version. * Repeat the commands to delete the mailbox and to create an encrypted mailbox. * After installing the fix, verify that no error occurs. [ Where problems could occur ] * The increased salt size of 16 bytes could potentially cause issues in allocated data structures, but I've attempted to mitigate this by increasing the size of potentially problematic data structures. [ Other Info ] This is really only needed on systems where FIPS is supported, i.e. Jammy and Noble and 26.04.
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
