Thanks for the heads up about plugins Aki. I have disabled quota and sieve
plugins and I don't think I have enabled fts. (if it is enabled by default,
can you point me to configuration about how to disable it? I have tried this
https://doc.dovecot.org/configuration_manual/fts/ and not able to find a flag
to turn off.) But the error seems to persist.
---- Dovecot Configs ----
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS
# Hostname: mailserver-dovecot-7c9ff7b94b-h4r8m
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /dev/stdout
haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24
172.17.0.1/16
hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local
info_log_path = /dev/stdout
listen = *
log_path = /dev/stdout
mail_debug = yes
mail_gid = 1000
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/:LAYOUT=fs
mail_plugins = mail_crypt
mail_privileged_group = mail
mail_uid = 1000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
imapsieve_mailbox2_causes = COPY APPEND FLAG
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
mail_crypt_save_version = 0
quota = maildir:User quota
quota_exceeded_message = User %u has exhausted allowed storage space.
quota_rule = Junk:ignore
quota_rule2 = Trash:storage=+100M
quota_warning = storage=90%% quota-warning 90 %u %d
quota_warning2 = storage=80%% quota-warning 80 %u %d
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve_global = /var/vmail/sieve/global/
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
sieve_pipe_bin_dir = /var/vmail/sieve/global
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap lmtp sieve pop3"
service auth {
inet_listener {
port = 25252
}
}
service imap-login {
inet_listener imap {
haproxy = yes
}
inet_listener imaps {
haproxy = yes
ssl = yes
}
}
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 0.0.0.0
port = 24
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service pop3-login {
inet_listener pop3 {
haproxy = yes
}
inet_listener pop3s {
haproxy = yes
}
}
ssl = required
ssl_cert = </etc/dovecot/certs/tls.crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
info_log_path = /dev/stdout
log_path = /dev/stdout
mail_plugins = mail_crypt
postmaster_address = cont...@baljeetbhinder.ca
}
protocol imap {
mail_plugins = mail_crypt quota imap_quota imap_sieve
}
---- Dovecot Configs Ends ----
---- Lmtp Log ----
lmtp(273): Info: Connect from 172.17.0.1
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master:
userdb lookup(some...@example.com): Started userdb lookup
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master:
conn unix:/var/run/dovecot/auth-userdb: Connecting
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master:
conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18)
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master:
userdb lookup(some...@example.com): auth USER input: some...@example.com
quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master:
userdb lookup(some...@example.com): Finished userdb lookup
(username=some...@example.com quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2)
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: Added userdb setting:
plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: Added userdb setting:
plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: Added userdb setting:
plugin/mail_crypt_save_version=2
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: Added userdb setting:
plugin/quota_rule=*:bytes=1024000000
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: Effective uid=1000,
gid=1000, home=/var/vmail/mailboxes/example.com/someone
lmtp(some...@example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server:
conn 172.17.0.1:62376 [1]: rcpt some...@example.com: mail_crypt_plugin:
mail_crypt_curve setting missing - generating EC keys disabled
lmtp(273): Error: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt
some...@example.com: Failed to initialize user: mail_crypt_plugin:
mail_crypt_global_private_key: mail_crypt_global_private_key_password unset, no
password to decrypt the key
lmtp(273): Info: Disconnect from 172.17.0.1: Logged out (state=READY)
---- Lmtp Log Ends ----
How can I tell which plugin is conflicting here?
January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tu...@open-xchange.com> wrote:
>> On 08/01/2023 18:55 EET Baljeet Bhinder <cont...@baljeetbhinder.ca> wrote:
>>
>> I have been using postfix+dovecot successfully for a while now until I tried
>> mail crypt plugin
>> lately. I tried what is describe here
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went
>> for global-keys as
>> described here:
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys
>> "A good solution for environments where no user folder sharing is needed is
>> to generate per-user EC
>> key pair and encrypt that with something derived from user’s password."
>>
>> I am setting mail_crypt_global_private_key, mail_crypt_global_public_key,
>> mail_crypt_save_version
>> from user_query and userdb_mail_crypt_global_private_key_password from
>> password_query. mail_crypt
>> seems to work fine in imap (I saved a message as draft and it is stored
>> encrypted on the disk), but
>> lmtp complains about "mail_crypt_global_private_key_password unset, no
>> password to decrypt the key"
>> As you can see below in logs that it was able to set all other mail_crypt_
>> configurations
>> successfully from user_query. However, the password is provided via
>> password_query and I assume
>> lmtp does not read password_query. How else can I provide a password in
>> lmtp? Is my approach
>> correct to begin with?
>
> Hi!
>
> Problem with user-password derivation is that what you've ran into. Some
> features, like quota or
> FTS, might need to access user's mail without being able to access the
> password, because it's not
> available.
>
> If you run into these, the only thing you can do is to not use conflicting
> features. Using user's
> password as the encryption key is very tricky thing to get working right.
>
>> Thanks
>> Baljeet Bhinder
>
> Regards,
> Aki
