Hi everyone,
I am trying to configure Dovecot's mail_crypt plugin to support per-user
encryption, with public and private keys stored in LDAP and retrieved via
userdb.
My Goal:
1) Each user has their own key pair (public/private) stored in LDAP.
2) Incoming emails should be encrypted via LMTP using the user’s public key.
3) Users should be able to read emails via IMAP/Webmail using their private
key, which is password-protected (the user’s login password).
Current situation:
1) Using global keys (same key for all users) works fine: LMTP encrypts emails
and users can read them correctly.
2) When trying to use per-user keys, I get encryption errors in IMAP, because
Dovecot seems to require the private key even during LMTP, even though only the
public key should be needed for encryption.
Typical error:
lmtp(…): Failed to initialize user: mail_crypt_plugin: main:
crypt_private_key_password unset, no password to decrypt the key file
Example configuration (LDAP userdb):
crypt_user_key_require_encrypted = yes
userdb ldap {
driver = ldap
ldap_filter = (&(objectClass=MailClass) (mail=%{user}))
result_internalfail = continue-ok
fields {
quota_storage_size = %{ldap:quota|default('5')}G
mail_home = %{ldap:homeDirectory}
crypt_global_public_key_file=inline:%{ldap:CryptoGlobalPubKey|default("")}
crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:CryptoGlobalPrivKey|default('')}
crypt_private_key_password=%{password}
}
}
Questions / help requested:
1) Is it possible to configure mail_crypt so that LMTP can encrypt emails using
only the user’s public key, without needing the private key?
2) What is the correct way to use per-user keys with password-protected private
keys?
3) Are there any working examples of mail_crypt configurations using LDAP as
the source for per-user keys?
I am fully aware that LMTP needs the private key of the user even if LMTP
doesn't use, but during LMTP session the user password is not available.
Version: 2.4.2-1 (0962ed2104)
Thanks in advance for any guidance!
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
