bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Dovecot mailing list
What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?

I use dovecot 2.3.4.1 in Debian 10.

And I use of mail-crypt-plugin
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512() hash
and use as decryption key (mail_crypt_private_password) for EC private
key.

For above I have plugin config

>   mail_plugins = $mail_plugins mail_crypt
>   plugin {
>     mail_crypt_curve = secp256k1
>     mail_crypt_require_encrypted_user_key = yes
>     mail_crypt_save_version = 2
>   }

And for returning userdb_mail_crypt_private_password, I have sql query

>   password_query = SELECT username, password, \
>     SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
>     FROM virtual_users WHERE username='%u';

But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.

Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!

For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
https://doc.dovecot.org/admin_manual/post_login_scripting/

And 'imap-postlogin' execute my custom  script with 'script-login' binary
https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c

Here it is config for above

>   service imap {
>     executable = imap imap-postlogin
>   }
>   service imap-postlogin {
>     executable = script-login /usr/local/bin/generateKeys.sh
>     unix_listener imap-postlogin {
>     }
>   }

And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
field of query when documented
https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings

> Fields returned by userdb lookup with their keys uppercased
> (e.g. if userdb returned home, it's stored in HOME).

Here generatekeys.sh

>   #!/bin/bash
>   if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
>           /usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U > /dev/null
>   fi
>   exec "$@"

This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?

Reply | Threaded
Open this post in threaded view
|

Re: bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Dovecot mailing list
Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key.

Aki
On 08/12/2019 09:42 uxqex4efpu--- via dovecot < [hidden email]> wrote:


What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?

I use dovecot 2.3.4.1 in Debian 10.

And I use of mail-crypt-plugin

I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512() hash
and use as decryption key (mail_crypt_private_password) for EC private
key.

For above I have plugin config

mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp256k1
mail_crypt_require_encrypted_user_key = yes
mail_crypt_save_version = 2
}
And for returning userdb_mail_crypt_private_password, I have sql query

password_query = SELECT username, password, \
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.

Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!

For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write

And 'imap-postlogin' execute my custom script with 'script-login' binary

Here it is config for above

service imap {
executable = imap imap-postlogin
}
service imap-postlogin {
executable = script-login /usr/local/bin/generateKeys.sh
unix_listener imap-postlogin {
}
}
And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
field of query when documented

Fields returned by userdb lookup with their keys uppercased
(e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh

#!/bin/bash
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
/usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U > /dev/null
fi
exec "$@"
This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?

---
Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Dovecot mailing list
> Technically creating and encrypting folder key does not
> require decrypting user's private key. All folder keys
> are encrypted with user's public key.

Problem is for that this is a new user. The new user has no private key. I
need for generating that private key. It do not the sense encrypts
something using a key public if there is no private key. Both key public
and private is mathematically related and have to be created together. I
am using the wrong command for creating the main user encrypted EC private
key?

Directing my question primary: it is any way to have the dovecot executes
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?

Also, I notice extra behavior when I do:

1. I creates user in mysql database
2. I confirms it not exists mailbox for user
3. I confirms it not exists cryptokeys for user

>   root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>   Folder Active Public ID
>   root@localhost:/var/vmail#

4. Before create mailbox or cryptokeys for user, I send mail from exist
user to new user
5. Postfix Delivers mail to dovecot
6. The dovecot accepts mail for new user and create mailbox automatically
(lda_mailbox_autocreate)
7. I check and see that dovecot creates key of user

>   root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>   Folder Active Public ID
>          yes    XYZ
>   root@localhost:/var/vmail#

How the possible??? I have put in settings of mail-crypt that keys of user
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
supply no key! How the dovecot creates main user encrypted public/private
EC keypair without key of encryption given?

I confirm that element of post for 'newuser' is encrypted, but of course I
can no decrypt the mail. I achieve error:

>   dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
>   failed...Private key not available: Cannot decrypt key XYZ

No well for executing generateKeys.sh on user first login. What if the
user receives email before first login? How I execute generateKeys.sh on
create of mailbox and how I do emails incoming without any keypair
created? For to reject or queue or save unencrypted until I generate
keypair? It possible?

On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
>

> Technically creating and encrypting folder key does not require
> decrypting user's private key. All folder keys are encrypted with user's
> public key.
>
>
>
>
> Aki
>
>
> On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
     [hidden email]>

> wrote:
>
>
>
>
>
>
>
>
> What it is way most best for causing bash script run (as root) of time
>
>
> mailbox created (lda_mailbox_autocreate)?
>
>
>
>
> I use dovecot 2.3.4.1 in Debian 10.
>
>
>
>
>
> And I use of mail-crypt-plugin
>
>
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>
>
>
>
>
> I setup mail-crypt for requiring user encrypted EC key
>
>
> (mail_crypt_require_encrypted_user_key = yes). I want for passphrase
>
>
> encrypt EC key using client plaintext password. There is credential no
>
> stored on server. But for user with use password too bad, I concatenate
>
> user plaintext password with random salt. And then string to SHA512()
> hash
>
> and use as decryption key (mail_crypt_private_password) for EC private
>
> key.
>
>
>
>
> For above I have plugin config
>
>
>
>
>
> mail_plugins = $mail_plugins mail_crypt
>
> plugin {
>
> mail_crypt_curve = secp256k1
>
> mail_crypt_require_encrypted_user_key = yes
>
> mail_crypt_save_version = 2
>
> }
>
>
> And for returning userdb_mail_crypt_private_password, I have sql query
>
>
>
>
>
> password_query = SELECT username, password, \
>
> SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
>
>
> FROM virtual_users WHERE username='%u';
>
>
> But how I generate key of user automatically? Note for generating key of
>
>
> user, I need user password plaintext. I never save plaintext password of
>
> user of the server.
>
>
>
>
> Also user of note creates in PHP of web of the server. And for security I
>
>
> do not allow PHP exec shell (php.ini disabled_functions). Definitely not
>
> leaving PHP doveadm access!
>
>
>
>
> For solving subject to generate user key encrypted, I do imap of call of
>
>
> the service 'imap-postlogin' the service likes document "Post-login
>
> scripting' write
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/
>
>
>
>
>
> And 'imap-postlogin' execute my custom script with 'script-login' binary
>
>
> https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05
> 3533/src/util/script-login.c
>
>
>
>
>
> Here it is config for above
>
>
>
>
>
> service imap {
>
> executable = imap imap-postlogin
>
> }
>
>
> service imap-postlogin {
>
> executable = script-login /usr/local/bin/generateKeys.sh
>
> unix_listener imap-postlogin {
>
> }
>
>
> }
>
>
> And generateKeys.sh it is script simple for generating keys with sha256()
>
>
> hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
>
> automatically put of 'userdb_mail_crypt_private_password' return of mysql
>
>
> field of query when documented
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun
> dings
>
>
>
>
> Fields returned by userdb lookup with their keys uppercased
>
>
> (e.g. if userdb returned home, it's stored in HOME).
>
>
> Here generatekeys.sh
>
>
>
>
>
> #!/bin/bash
>
>
> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
>
> /dev/null | wc -l` -lt 2 ]; then
>
>
> /usr/bin/doveadm -o
>
>
> "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
>
>
> mailbox cryptokey generate -u "${USER}" -U > /dev/null
>
> fi
>
> exec "$@"
>
> This work! But I want more good. By why execute each login? Possible has
>
>
> generateKeys.sh execute in the times only of dovecot create mailbox
>
> (lda_mailbox_autocreate) instead?
>
>
>
>
> ---
 Aki Tuomi
>
>


Reply | Threaded
Open this post in threaded view
|

Re: bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Dovecot mailing list
It's a known issue that the password will be set to silly value, most likely 'yes'.

You should generate the user key during provisioning with `doveadm cryptokey generate -Uu user -n password`. 

Aki
On 08/12/2019 16:22 [hidden email] wrote:


Technically creating and encrypting folder key does not
require decrypting user's private key. All folder keys
are encrypted with user's public key.
Problem is for that this is a new user. The new user has no private key. I
need for generating that private key. It do not the sense encrypts
something using a key public if there is no private key. Both key public
and private is mathematically related and have to be created together. I
am using the wrong command for creating the main user encrypted EC private
key?

Directing my question primary: it is any way to have the dovecot executes
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?

Also, I notice extra behavior when I do:

1. I creates user in mysql database
2. I confirms it not exists mailbox for user
3. I confirms it not exists cryptokeys for user

root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
Folder Active Public ID
root@localhost:/var/vmail#
4. Before create mailbox or cryptokeys for user, I send mail from exist
user to new user
5. Postfix Delivers mail to dovecot
6. The dovecot accepts mail for new user and create mailbox automatically
(lda_mailbox_autocreate)
7. I check and see that dovecot creates key of user

root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
Folder Active Public ID
yes XYZ
root@localhost:/var/vmail#
How the possible??? I have put in settings of mail-crypt that keys of user
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
supply no key! How the dovecot creates main user encrypted public/private
EC keypair without key of encryption given?

I confirm that element of post for 'newuser' is encrypted, but of course I
can no decrypt the mail. I achieve error:

dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
failed...Private key not available: Cannot decrypt key XYZ
No well for executing generateKeys.sh on user first login. What if the
user receives email before first login? How I execute generateKeys.sh on
create of mailbox and how I do emails incoming without any keypair
created? For to reject or queue or save unencrypted until I generate
keypair? It possible?

On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
>

Technically creating and encrypting folder key does not require
decrypting user's private key. All folder keys are encrypted with user's
public key.
>
>
>
Aki
>
On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
wrote:
>
>
>
>
>
>
>
What it is way most best for causing bash script run (as root) of time
>
mailbox created (lda_mailbox_autocreate)?
>
>
>
I use dovecot 2.3.4.1 in Debian 10.
>
>
>
>
And I use of mail-crypt-plugin
>
>
>
>
>
I setup mail-crypt for requiring user encrypted EC key
>
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
>
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512()
hash
and use as decryption key (mail_crypt_private_password) for EC private
key.
>
>
>
For above I have plugin config
>
>
>
>
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp256k1
mail_crypt_require_encrypted_user_key = yes
mail_crypt_save_version = 2
}
>
And for returning userdb_mail_crypt_private_password, I have sql query
>
>
>
>
password_query = SELECT username, password, \
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
>
FROM virtual_users WHERE username='%u';
>
But how I generate key of user automatically? Note for generating key of
>
user, I need user password plaintext. I never save plaintext password of
user of the server.
>
>
>
Also user of note creates in PHP of web of the server. And for security I
>
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!
>
>
>
For solving subject to generate user key encrypted, I do imap of call of
>
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
>
>
>
>
And 'imap-postlogin' execute my custom script with 'script-login' binary
>
3533/src/util/script-login.c
>
>
>
>
Here it is config for above
>
>
>
>
service imap {
executable = imap imap-postlogin
}
>
service imap-postlogin {
executable = script-login /usr/local/bin/generateKeys.sh
unix_listener imap-postlogin {
}
>
}
>
And generateKeys.sh it is script simple for generating keys with sha256()
>
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
>
field of query when documented
dings
>
>
>
Fields returned by userdb lookup with their keys uppercased
>
(e.g. if userdb returned home, it's stored in HOME).
>
Here generatekeys.sh
>
>
>
>
#!/bin/bash
>
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
>
/usr/bin/doveadm -o
>
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
>
mailbox cryptokey generate -u "${USER}" -U > /dev/null
fi
exec "$@"
This work! But I want more good. By why execute each login? Possible has
>
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?
>
>
>
---
Aki Tuomi
>
>

---
Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

Dovecot mailing list
> It's a known issue that the password will be set to silly
> value, most likely 'yes'.

Hello Aki, thank you.

In fact, it appear for generating key unencrypted! I test for key of
encrypted or no with `mailbox cryptokey export doveadm -Uu newuser`.

I meeting for the keys create by dovecot in new email before key
generates, I achieve key deprived even when I supply no any password.

>   root@localhost:/var/vmail# doveadm mailbox cryptokey export -Uu newuser
>   Folder:
>   Public ID: ABC
>   Error:
>   -----BEGIN PRIVATE KEY-----
>   XYZ
>   -----END PRIVATE KEY-----

I meeting for keys I generate before mail of dovecot of keypair generates,
I have error encoding. I thinks "encoding error" means that the private
key is encrypt, different from above.

>   Folder: ABC
>   Public ID: ERROR: error:03070068:bignum routines:BN_mpi2bn:encoding error
>   Error:

Exist better way for check if key encrypted or unencrypted? Very strange
this when I use 'mail_crypt_require_encrypted_user_key = yes'. No
expected.

The possible for to add on post of documentation of the plugin mail-crypt?
May I recommend to add notices in "Encrypted user keys"
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/encrypted-user-keys

> Note: If ‘yes’ it set ‘mail_crypt_require_encrypted_user_key’,
> the dovecot it can create and store unencrypted key on
> disk if the user receives the mail before generates keypair.

I think this very important to document. Thank you!

> You should generate the user key
> during provisioning with
> `doveadm cryptokey generate -Uu user -n password`.

This no possible. I users of provision in PHP, and the very important I do
not allow PHP has shell/exec access (php.ini disabled_functions). PHP has
mysql access only. I see no the safe way for PHP has the permission
executes `doveadm`.

But I meeting solution!

I test dovecot put autocreate disable (lda_mailbox_autocreate = no), but
it still autocreate! And autocreate create mail broken user of crypt
keypair.

But it possible stop autocreate! I read here dovecot no autocreate if  I
'mail_location' not defining! That I delete 'mail_location' of dovecot
config, and now first email send to new user before user keypair generates
error of product. Well!

>   postfix/lmtp...[Private/dovecot-lmtp] said: 451 4.3.0
<[hidden email]> Provisional internal error (in reply
for finish of order of DATA))

And I update my post-login script generateKeys.sh for including
'mail-location':

>   #!/bin/bash
>
>   # string sanitization checks
>   USER=${USER//\"/}
>   MAIL_CRYPT_PRIVATE_PASSWORD=${MAIL_CRYPT_PRIVATE_PASSWORD//\"/}
>   echo "${USER}" | grep -E '^[0-9A-Za-z]{1,100}$' > /dev/null || exit 1
>   echo "${MAIL_CRYPT_PRIVATE_PASSWORD}" | grep -E '^[0-9A-Za-z]{128}$' >
/dev/null || exit 1
>
>   # this list command outputs one human-readable "header" line always
>   # if there is at least one key, it will output two or more lines
>   # if there are no keys for the given user, it will have less than two
lines
>   if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U | wc -l`
-lt 2 ]; then
>           /usr/bin/doveadm -o "mail_location=maildir:~/Maildir/" -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey >   generate -u "${USER}" -U > /dev/null
>   fi
>
>   exec "$@"

Now it work! Mail-crypt plugin not create bad key for to lockout user. Now
first login generates user keypair using salted password hash of user and
never store on server. Very good!


On Sun, December 8, 2019 18:15, Aki Tuomi via dovecot wrote:
>

> It's a known issue that the password will be set to silly value, most
> likely 'yes'.
>
>
>
>
> You should generate the user key during provisioning with `doveadm
> cryptokey generate -Uu user -n password`.
>
>
>
>
> Aki
>
>
> On 08/12/2019 16:22
     [hidden email] wrote:

>
>
>
>
>
>
>
>
> Technically creating and encrypting folder key does not
>
>
> require decrypting user's private key. All folder keys
>
> are encrypted with user's public key.
>
> Problem is for that this is a new user. The new user has no private key.
> I
>
>
> need for generating that private key. It do not the sense encrypts
>
> something using a key public if there is no private key. Both key public
>
> and private is mathematically related and have to be created together. I
>
> am using the wrong command for creating the main user encrypted EC
> private
>
> key?
>
>
>
>
> Directing my question primary: it is any way to have the dovecot executes
>
>
> a bash script in the time of the mailbox created
> (lda_mailbox_autocreate)?
>
>
>
>
>
> Also, I notice extra behavior when I do:
>
>
>
>
>
> 1. I creates user in mysql database
>
>
> 2. I confirms it not exists mailbox for user
>
>
> 3. I confirms it not exists cryptokeys for user
>
>
>
>
>
> root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>
>
> Folder Active Public ID
>
>
> root@localhost:/var/vmail#
>
>
> 4. Before create mailbox or cryptokeys for user, I send mail from exist
>
>
> user to new user
>
> 5. Postfix Delivers mail to dovecot
>
>
> 6. The dovecot accepts mail for new user and create mailbox automatically
>
>
> (lda_mailbox_autocreate)
>
>
> 7. I check and see that dovecot creates key of user
>
>
>
>
>
> root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>
>
> Folder Active Public ID
>
>
> yes XYZ
>
> root@localhost:/var/vmail#
>
>
> How the possible??? I have put in settings of mail-crypt that keys of
> user
>
> have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
>
>
> supply no key! How the dovecot creates main user encrypted public/private
>
>
> EC keypair without key of encryption given?
>
>
>
>
>
> I confirm that element of post for 'newuser' is encrypted, but of course
> I
>
>
> can no decrypt the mail. I achieve error:
>
>
>
>
> dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
>
>
> failed...Private key not available: Cannot decrypt key XYZ
>
> No well for executing generateKeys.sh on user first login. What if the
>
>
> user receives email before first login? How I execute generateKeys.sh on
>
> create of mailbox and how I do emails incoming without any keypair
>
> created? For to reject or queue or save unencrypted until I generate
>
> keypair? It possible?
>
>
>
>
> On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
>
>
> >
>
>
>
>
>
> Technically creating and encrypting folder key does not require
>
>
> decrypting user's private key. All folder keys are encrypted with user's
>
> public key.
>
> >
>
>
> >
>
>
> >
>
>
> Aki
>
>
> >
>
>
> On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
>
>
> [hidden email]>
>
> wrote:
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> What it is way most best for causing bash script run (as root) of time
>
>
> >
>
>
> mailbox created (lda_mailbox_autocreate)?
>
> >
>
>
> >
>
>
> >
>
>
> I use dovecot 2.3.4.1 in Debian 10.
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> And I use of mail-crypt-plugin
>
>
> >
>
>
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> I setup mail-crypt for requiring user encrypted EC key
>
>
> >
>
>
> (mail_crypt_require_encrypted_user_key = yes). I want for passphrase
>
>
> >
>
>
> encrypt EC key using client plaintext password. There is credential no
>
> stored on server. But for user with use password too bad, I concatenate
>
> user plaintext password with random salt. And then string to SHA512()
>
> hash
>
> and use as decryption key (mail_crypt_private_password) for EC private
>
> key.
>
> >
>
>
> >
>
>
> >
>
>
> For above I have plugin config
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> mail_plugins = $mail_plugins mail_crypt
>
> plugin {
>
> mail_crypt_curve = secp256k1
>
> mail_crypt_require_encrypted_user_key = yes
>
> mail_crypt_save_version = 2
>
> }
>
>
> >
>
>
> And for returning userdb_mail_crypt_private_password, I have sql query
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> password_query = SELECT username, password, \
>
> SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
>
>
> >
>
>
> FROM virtual_users WHERE username='%u';
>
>
> >
>
>
> But how I generate key of user automatically? Note for generating key of
>
>
> >
>
>
> user, I need user password plaintext. I never save plaintext password of
>
> user of the server.
>
> >
>
>
> >
>
>
> >
>
>
> Also user of note creates in PHP of web of the server. And for security I
>
>
> >
>
>
> do not allow PHP exec shell (php.ini disabled_functions). Definitely not
>
> leaving PHP doveadm access!
>
> >
>
>
> >
>
>
> >
>
>
> For solving subject to generate user key encrypted, I do imap of call of
>
>
> >
>
>
> the service 'imap-postlogin' the service likes document "Post-login
>
> scripting' write
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> And 'imap-postlogin' execute my custom script with 'script-login' binary
>
>
> >
>
>
> https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05
>
>
> 3533/src/util/script-login.c
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> Here it is config for above
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> service imap {
>
> executable = imap imap-postlogin
>
> }
>
>
> >
>
>
> service imap-postlogin {
>
> executable = script-login /usr/local/bin/generateKeys.sh
>
> unix_listener imap-postlogin {
>
> }
>
>
> >
>
>
> }
>
>
> >
>
>
> And generateKeys.sh it is script simple for generating keys with sha256()
>
>
> >
>
>
> hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
>
> automatically put of 'userdb_mail_crypt_private_password' return of mysql
>
>
> >
>
>
> field of query when documented
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun
>
>
> dings
>
> >
>
>
> >
>
>
> >
>
>
> Fields returned by userdb lookup with their keys uppercased
>
>
> >
>
>
> (e.g. if userdb returned home, it's stored in HOME).
>
>
> >
>
>
> Here generatekeys.sh
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> #!/bin/bash
>
>
> >
>
>
> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
>
> /dev/null | wc -l` -lt 2 ]; then
>
>
> >
>
>
> /usr/bin/doveadm -o
>
>
> >
>
>
> "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
>
>
> >
>
>
> mailbox cryptokey generate -u "${USER}" -U > /dev/null
>
> fi
>
> exec "$@"
>
> This work! But I want more good. By why execute each login? Possible has
>
>
> >
>
>
> generateKeys.sh execute in the times only of dovecot create mailbox
>
> (lda_mailbox_autocreate) instead?
>
>
> >
>
>
> >
>
>
> >
>
>
> ---
>
>
> Aki Tuomi
>
>
> >
>
>
> >
>
>
>
>
> ---
 Aki Tuomi
>
>