Questions around mailcrypt and LDAP
Hello, all. I read carefully the messages about mailcrypt on the mailing list, especially this response from Aki: It's best suited for securing external storage such as NFS or object storage. There are possibilities to encrypt the key using user's password, but this takes careful planning. The keys can also come from userdb , e.g. LDAP. I am able to extend the LDAP schema of my OpenLDAP server to store a key into LDAP attribute for each user. In this case, would it be enough for Dovecot to encrypt the messages when they arrive ? Maybe I misunderstand the documentation. Even when using user keys protected by a password, the Dovecot LMTP process should be able to encrypt the emails with user’s public key, without a password, no ? Ideally, I would like to store user's emails encrypted, so each users cannot access other user's emails. I don't need folder sharing. Thanks for your advice. Kind regards, André Rodier
Re: Submission: track authenticated_user
Sorry for the noise.
Allowing dovecot server on the postfix relayhost
(https://www.postfix.org/postconf.5.html#smtpd_authorized_xclient_hosts)
permit to retrieve sasl_username in the log :
Nov 10 10:53:13 relayhost postfix/smtpd[2749948]: 834AE3F8AD:
client=dovecot-submission[0.0.0.0],
sasl_method=XCLIENT,sasl_username=submit...@example.com
I'm wondering if this sasl_username can now be retrieved by a milter.
But it's outside of the list.
Le 10/11/2022 à 11:56, itan...@univ-brest.fr a écrit :
Hello,
We would like to use Dovecot Submission to have less queues to maintain.
The relayhost (Postfix) after Dovecot routes mail by sender_map, so
authenticated user, not the "mail from" because .
For what we've seen, we can't use receive header to retrieve this
authenticated_user.
Example of header :
Received: from mailhost ([0.0.0.0])
by submission.host with ESMTPSA
id submission-id
(envelope-from)
for; Thu, 9 Nov 2022 08:27:41 +
So we've thought to use X-client, but reading the doc seems that's not
the a good way :
/https://doc.dovecot.org/settings/core//
- submission_relay_trusted
If enabled, the relay server is trusted.
Determines whether we try to send (Postfix-specific) XCLIENT data to
the
relay server (only if enabled).
But, XCLIENT for Submission seems to not transfer LOGIN :
/https://doc.dovecot.org/settings/core/
/
XCLIENT command can be used to override:
Session ID
Client IP and port (|%{rip}|,|%{rport}|)
HELO - Overrides what the client sent earlier in the EHLO command
LOGIN - Currently unused
PROTO - Currently unused
|forward_*| fields can be sent to auth process’s passdb lookup
The trust is always checked against the connecting IP address.
Except if HAProxy is used, then the original client IP address is used.
Do you know another way to inform the relayhost of submission of the
authenticated_user?
Thanks
Ismaël TANGUY
Submission: track authenticated_user
Hello,
We would like to use Dovecot Submission to have less queues to maintain.
The relayhost (Postfix) after Dovecot routes mail by sender_map, so
authenticated user, not the "mail from" because .
For what we've seen, we can't use receive header to retrieve this
authenticated_user.
Example of header :
Received: from mailhost ([0.0.0.0])
by submission.host with ESMTPSA
id submission-id
(envelope-from)
for; Thu, 9 Nov 2022 08:27:41 +
So we've thought to use X-client, but reading the doc seems that's not
the a good way :
/https://doc.dovecot.org/settings/core//
- submission_relay_trusted
If enabled, the relay server is trusted.
Determines whether we try to send (Postfix-specific) XCLIENT data to the
relay server (only if enabled).
But, XCLIENT for Submission seems to not transfer LOGIN :
/https://doc.dovecot.org/settings/core/
/
XCLIENT command can be used to override:
Session ID
Client IP and port (|%{rip}|,|%{rport}|)
HELO - Overrides what the client sent earlier in the EHLO command
LOGIN - Currently unused
PROTO - Currently unused
|forward_*| fields can be sent to auth process’s passdb lookup
The trust is always checked against the connecting IP address.
Except if HAProxy is used, then the original client IP address is used.
Do you know another way to inform the relayhost of submission of the
authenticated_user?
Thanks
Ismaël TANGUY
Re: SSL error
Store - typo at my den (have kb-issues) Thanks and regards Goetz R Schultz >8 Quis custodiet ipsos custodes? /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ 8< On 09/11/2022 21:28, Ruben Safir wrote: This got nothing to with LE or own CA. Bottom line is, you need to add your own CA to the cert tore (ideally) what is a cert tore? - look in DuckDuckGo how that works for your distri - Linux is different from BSD - for example. That would be my line in FreeBSD, using a single file for the CA : $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile /etc/ssl/certs/my-ca.crt The --sslcertfile part can be dumped if using the global store. Bottom line - independent from CA. -- Thanks and regards Goetz R Schultz >8 Quis custodiet ipsos custodes? /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ 8< >8-- /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ This message is transmitted on 100% recycled electrons. >8-- Unsigned message - no responsibillity that content is not altered >8-- /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ This message is transmitted on 100% recycled electrons. >8-- Unsigned message - no responsibillity that content is not altered
