Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key.
Aki
On 08/12/2019 09:42 uxqex4efpu--- via dovecot < dovecot@dovecot.org> wrote:
What it is way most best for causing bash script run (as root) of timemailbox created (lda_mailbox_autocreate)?
I use dovecot 2.3.4.1 in Debian 10.
And I use of mail-crypt-plugin
I setup mail-crypt for requiring user encrypted EC key(mail_crypt_require_encrypted_user_key = yes). I want for passphraseencrypt EC key using client plaintext password. There is credential nostored on server. But for user with use password too bad, I concatenateuser plaintext password with random salt. And then string to SHA512() hashand use as decryption key (mail_crypt_private_password) for EC privatekey.
For above I have plugin config
mail_plugins = $mail_plugins mail_cryptplugin {mail_crypt_curve = secp256k1mail_crypt_require_encrypted_user_key = yesmail_crypt_save_version = 2}And for returning userdb_mail_crypt_private_password, I have sql query
password_query = SELECT username, password, \SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \FROM virtual_users WHERE username='%u';But how I generate key of user automatically? Note for generating key ofuser, I need user password plaintext. I never save plaintext password ofuser of the server.
Also user of note creates in PHP of web of the server. And for security Ido not allow PHP exec shell (php.ini disabled_functions). Definitely notleaving PHP doveadm access!
For solving subject to generate user key encrypted, I do imap of call ofthe service 'imap-postlogin' the service likes document "Post-loginscripting' write
And 'imap-postlogin' execute my custom script with 'script-login' binary
Here it is config for above
service imap {executable = imap imap-postlogin}service imap-postlogin {executable = script-login /usr/local/bin/generateKeys.shunix_listener imap-postlogin {}}And generateKeys.sh it is script simple for generating keys with sha256()hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}automatically put of 'userdb_mail_crypt_private_password' return of mysqlfield of query when documented
Fields returned by userdb lookup with their keys uppercased(e.g. if userdb returned home, it's stored in HOME).Here generatekeys.sh
#!/bin/bashif [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >/dev/null | wc -l` -lt 2 ]; then/usr/bin/doveadm -o"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"mailbox cryptokey generate -u "${USER}" -U > /dev/nullfiexec "$@"This work! But I want more good. By why execute each login? Possible hasgenerateKeys.sh execute in the times only of dovecot create mailbox(lda_mailbox_autocreate) instead?
--- Aki Tuomi
