Re: Set mail crypt private password with OAUTH?
> "Aki" == Aki Tuomi writes: Max, It would be awesome if you could post a summary of what your setup is, what you were trying to accomplish, and the configuration you came up with after all this work with Aki and the rest of the team. Digging through the entire chain would be a chore and while I've enjoyed reading it all, I've already forgotten what the original setup was you're were working on! As a bonus, this writeup will help you in the future if you run into problems again. :-) John Aki> Ah. This is because you have a mistake in your userdb query: Aki>SHA2(CONCAT(username, random_key), 256) AS Aki> userdb_mail_crypt_private_password \ Aki> should be Aki>SHA2(CONCAT(username, random_key), 256) AS Aki>mail_crypt_private_password \ Aki> userdb_ prefix should only be used in passdb **or** passwd-file. Aki> Aki >> On 31/01/2022 13:00 Max Kostikov wrote: >> >> >> With removed userdb_mail_crypt_private_password part in the >> password_query it doesn't work at all even with standard password >> authentication. >> >> >> Aki Tuomi писал(а) 2022-01-31 12:52: >> > Using oauth2 or not should make no difference if the key is loaded in >> > userdb. Can you check with mail_debug=yes to see that it gets loaded >> > even if you remove it from passdb sql? >> > >> > Aki >> > >> >> On 31/01/2022 12:41 Max Kostikov wrote: >> >> >> >> >> >> Correction. Mail crypt works fine when I'm logged with the regular >> >> password authentication >> >> but doesn't when OAUTH2 is used. >> >> >> >> Max Kostikov писал(а) 2022-01-31 12:30: >> >> > Yes, that's right. >> >> > I tried to get key with userdb before I wrote in the Dovecot list but >> >> > this doesn't work for me. >> >> > Yes, the decryption key is correct but for some reason it doesn't >> >> > applied when key decryption. >> >> > >> >> > >> >> > Aki Tuomi писал(а) 2022-01-31 12:09: >> >> >> In fact now that I looked through your configs one more, this is >> >> >> already what you are doing, except you are exporting the private key >> >> >> password in three different places. >> >> >> >> >> >> So basically, if you do `doveadm user foobar` it should already give >> >> >> you a correct key. >> >> >> >> >> >> You can see if the key is correct with `doveadm mailbox cryptokey >> >> >> export -u user -U` >> >> >> >> >> >> Aki >> >> >> >> >> >>> On 31/01/2022 12:03 Aki Tuomi wrote: >> >> >>> >> >> >>> >> >> >>> Hgm. You have userdb lookups enabled, why not just move the entire >> >> >>> mail_crypt_private_password handling there instead of passdb? This >> >> >>> way it'll work with LMTP/LDA as well. >> >> >>> >> >> >>> So move all user related fields to the userdb lookup, and keep only >> >> >>> the authentication handling in passdb. >> >> >>> >> >> >>> In your configuration, passdb lookups are not done for LMTP/LDA etc. >> >> >>> >> >> >>> Aki >> >> >>> >> >> >>> > On 31/01/2022 12:00 Max Kostikov wrote: >> >> >>> > >> >> >>> > >> >> >>> > Unfortunately there are no "master out" entries in the log, but I >> >> >>> > have >> >> >>> > "userdb out" >> >> >>> > >> >> >>> > Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out: >> >> >>> > USER#0111609564161#011max.kosti...@gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378 >> >> >>> > >> >> >>> > >> >> >>> > Aki Tuomi писал(а) 2022-01-31 11:47: >> >> >>> > > Was the field present in auth debug logs, it should be shown in >> >> >>> > > the >> >> >>> > > "master out" log line and also it should be visible on >> >> >>> > > mail_debug=yes >> >> >>> > > logs as `plugin/mail_crypt_private_key_password`. >> >> >>> > > >> >> >>> > > Aki >> >> >>> > > >> >> >>> > >> On 31/01/2022 11:40 Max Kostikov wrote: >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> Unfortunatelly I still get decryption error with "Password not >> >> >>> > >> available" >> >> >>> > >> >> >> >>> > >> ... >> >> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com >> >> >>> > >> dovecot: >> >> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: >> >> >>> > >> Mailbox >> >> >>> > >> INBOX: UID=1: read() failed: >> >> >>> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S) >> >> >>> > >> failed: Private key not available: Cannot decrypt key >> >> >>> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870: >> >> >>> > >> Cannot >> >> >>> > >> decrypt key >> >> >>> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8: >> >> >>> > >> Password not available >> >> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com >> >> >>> > >> dovecot: >> >> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: >> >> >>> > >> Disconnected: >> >> >>>
Re: Set mail crypt private password with OAUTH?
Ah. This is because you have a mistake in your userdb query: SHA2(CONCAT(username, random_key), 256) AS userdb_mail_crypt_private_password \ should be SHA2(CONCAT(username, random_key), 256) AS mail_crypt_private_password \ userdb_ prefix should only be used in passdb **or** passwd-file. Aki > On 31/01/2022 13:00 Max Kostikov wrote: > > > With removed userdb_mail_crypt_private_password part in the > password_query it doesn't work at all even with standard password > authentication. > > > Aki Tuomi писал(а) 2022-01-31 12:52: > > Using oauth2 or not should make no difference if the key is loaded in > > userdb. Can you check with mail_debug=yes to see that it gets loaded > > even if you remove it from passdb sql? > > > > Aki > > > >> On 31/01/2022 12:41 Max Kostikov wrote: > >> > >> > >> Correction. Mail crypt works fine when I'm logged with the regular > >> password authentication > >> but doesn't when OAUTH2 is used. > >> > >> Max Kostikov писал(а) 2022-01-31 12:30: > >> > Yes, that's right. > >> > I tried to get key with userdb before I wrote in the Dovecot list but > >> > this doesn't work for me. > >> > Yes, the decryption key is correct but for some reason it doesn't > >> > applied when key decryption. > >> > > >> > > >> > Aki Tuomi писал(а) 2022-01-31 12:09: > >> >> In fact now that I looked through your configs one more, this is > >> >> already what you are doing, except you are exporting the private key > >> >> password in three different places. > >> >> > >> >> So basically, if you do `doveadm user foobar` it should already give > >> >> you a correct key. > >> >> > >> >> You can see if the key is correct with `doveadm mailbox cryptokey > >> >> export -u user -U` > >> >> > >> >> Aki > >> >> > >> >>> On 31/01/2022 12:03 Aki Tuomi wrote: > >> >>> > >> >>> > >> >>> Hgm. You have userdb lookups enabled, why not just move the entire > >> >>> mail_crypt_private_password handling there instead of passdb? This > >> >>> way it'll work with LMTP/LDA as well. > >> >>> > >> >>> So move all user related fields to the userdb lookup, and keep only > >> >>> the authentication handling in passdb. > >> >>> > >> >>> In your configuration, passdb lookups are not done for LMTP/LDA etc. > >> >>> > >> >>> Aki > >> >>> > >> >>> > On 31/01/2022 12:00 Max Kostikov wrote: > >> >>> > > >> >>> > > >> >>> > Unfortunately there are no "master out" entries in the log, but I > >> >>> > have > >> >>> > "userdb out" > >> >>> > > >> >>> > Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out: > >> >>> > USER#0111609564161#011max.kosti...@gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378 > >> >>> > > >> >>> > > >> >>> > Aki Tuomi писал(а) 2022-01-31 11:47: > >> >>> > > Was the field present in auth debug logs, it should be shown in the > >> >>> > > "master out" log line and also it should be visible on > >> >>> > > mail_debug=yes > >> >>> > > logs as `plugin/mail_crypt_private_key_password`. > >> >>> > > > >> >>> > > Aki > >> >>> > > > >> >>> > >> On 31/01/2022 11:40 Max Kostikov wrote: > >> >>> > >> > >> >>> > >> > >> >>> > >> Unfortunatelly I still get decryption error with "Password not > >> >>> > >> available" > >> >>> > >> > >> >>> > >> ... > >> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com > >> >>> > >> dovecot: > >> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: > >> >>> > >> Mailbox > >> >>> > >> INBOX: UID=1: read() failed: > >> >>> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S) > >> >>> > >> failed: Private key not available: Cannot decrypt key > >> >>> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870: > >> >>> > >> Cannot > >> >>> > >> decrypt key > >> >>> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8: > >> >>> > >> Password not available > >> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com > >> >>> > >> dovecot: > >> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: > >> >>> > >> Disconnected: > >> >>> > >> FETCH failed: Mailbox INBOX: UID=1: read() failed: > >> >>> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S) > >> >>> > >> failed: Private key not available: Cannot decrypt key > >> >>> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870: > >> >>> > >> Cannot > >> >>> > >> decrypt key > >> >>> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8: > >> >>> > >> Password not available in=463 out=1872 deleted=0 expunged=0 > >> >>> > >> trashed=0 > >> >>> > >> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0 > >> >>> > >> >
Re: Set mail crypt private password with OAUTH?
Using oauth2 or not should make no difference if the key is loaded in userdb.
Can you check with mail_debug=yes to see that it gets loaded even if you remove
it from passdb sql?
Aki
> On 31/01/2022 12:41 Max Kostikov wrote:
>
>
> Correction. Mail crypt works fine when I'm logged with the regular
> password authentication
> but doesn't when OAUTH2 is used.
>
> Max Kostikov писал(а) 2022-01-31 12:30:
> > Yes, that's right.
> > I tried to get key with userdb before I wrote in the Dovecot list but
> > this doesn't work for me.
> > Yes, the decryption key is correct but for some reason it doesn't
> > applied when key decryption.
> >
> >
> > Aki Tuomi писал(а) 2022-01-31 12:09:
> >> In fact now that I looked through your configs one more, this is
> >> already what you are doing, except you are exporting the private key
> >> password in three different places.
> >>
> >> So basically, if you do `doveadm user foobar` it should already give
> >> you a correct key.
> >>
> >> You can see if the key is correct with `doveadm mailbox cryptokey
> >> export -u user -U`
> >>
> >> Aki
> >>
> >>> On 31/01/2022 12:03 Aki Tuomi wrote:
> >>>
> >>>
> >>> Hgm. You have userdb lookups enabled, why not just move the entire
> >>> mail_crypt_private_password handling there instead of passdb? This
> >>> way it'll work with LMTP/LDA as well.
> >>>
> >>> So move all user related fields to the userdb lookup, and keep only
> >>> the authentication handling in passdb.
> >>>
> >>> In your configuration, passdb lookups are not done for LMTP/LDA etc.
> >>>
> >>> Aki
> >>>
> >>> > On 31/01/2022 12:00 Max Kostikov wrote:
> >>> >
> >>> >
> >>> > Unfortunately there are no "master out" entries in the log, but I have
> >>> > "userdb out"
> >>> >
> >>> > Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out:
> >>> > USER#0111609564161#011max.kosti...@gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378
> >>> >
> >>> >
> >>> > Aki Tuomi писал(а) 2022-01-31 11:47:
> >>> > > Was the field present in auth debug logs, it should be shown in the
> >>> > > "master out" log line and also it should be visible on mail_debug=yes
> >>> > > logs as `plugin/mail_crypt_private_key_password`.
> >>> > >
> >>> > > Aki
> >>> > >
> >>> > >> On 31/01/2022 11:40 Max Kostikov wrote:
> >>> > >>
> >>> > >>
> >>> > >> Unfortunatelly I still get decryption error with "Password not
> >>> > >> available"
> >>> > >>
> >>> > >> ...
> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: Mailbox
> >>> > >> INBOX: UID=1: read() failed:
> >>> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >>> > >> failed: Private key not available: Cannot decrypt key
> >>> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >>> > >> Cannot
> >>> > >> decrypt key
> >>> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >>> > >> Password not available
> >>> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> >>> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Disconnected:
> >>> > >> FETCH failed: Mailbox INBOX: UID=1: read() failed:
> >>> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >>> > >> failed: Private key not available: Cannot decrypt key
> >>> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >>> > >> Cannot
> >>> > >> decrypt key
> >>> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >>> > >> Password not available in=463 out=1872 deleted=0 expunged=0 trashed=0
> >>> > >> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0
> >>> > >>
> >>> > >>
> >>> > >> Aki Tuomi писал(а) 2022-01-31 11:33:
> >>> > >> > try adding
> >>> > >> >
> >>> > >> > result_success = continue-ok
> >>> > >> >
> >>> > >> > to the oauth2 database.
> >>> > >> >
> >>> > >> > Aki
> >>> > >> >
> >>> > >> >> On 31/01/2022 11:27 Max Kostikov wrote:
> >>> > >> >>
> >>> > >> >>
> >>> > >> >> Aki, thanks for your hint.
> >>> > >> >> Unfortunatelly I can't get this work.
> >>> > >> >> Here is my configuration.
> >>> > >> >>
> >>> > >> >> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> >>> > >> >> passdb {
> >>> > >> >>driver = oauth2
> >>> > >> >>mechanisms = xoauth2 oauthbearer
> >>> > >> >>args = /etc/dovecot/dovecot-oauth2.conf.ext
> >>> > >> >> }
> >>> > >> >> passdb {
> >>> > >> >>driver = sql
> >>> > >> >>skip = unauthenticated
> >>> > >> >>args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> >>> > >> >> }
> >>> > >> >> passdb {
> >>> > >>
Re: Set mail crypt private password with OAUTH?
In fact now that I looked through your configs one more, this is already what
you are doing, except you are exporting the private key password in three
different places.
So basically, if you do `doveadm user foobar` it should already give you a
correct key.
You can see if the key is correct with `doveadm mailbox cryptokey export -u
user -U`
Aki
> On 31/01/2022 12:03 Aki Tuomi wrote:
>
>
> Hgm. You have userdb lookups enabled, why not just move the entire
> mail_crypt_private_password handling there instead of passdb? This way it'll
> work with LMTP/LDA as well.
>
> So move all user related fields to the userdb lookup, and keep only the
> authentication handling in passdb.
>
> In your configuration, passdb lookups are not done for LMTP/LDA etc.
>
> Aki
>
> > On 31/01/2022 12:00 Max Kostikov wrote:
> >
> >
> > Unfortunately there are no "master out" entries in the log, but I have
> > "userdb out"
> >
> > Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out:
> > USER#0111609564161#011max.kosti...@gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378
> >
> >
> > Aki Tuomi писал(а) 2022-01-31 11:47:
> > > Was the field present in auth debug logs, it should be shown in the
> > > "master out" log line and also it should be visible on mail_debug=yes
> > > logs as `plugin/mail_crypt_private_key_password`.
> > >
> > > Aki
> > >
> > >> On 31/01/2022 11:40 Max Kostikov wrote:
> > >>
> > >>
> > >> Unfortunatelly I still get decryption error with "Password not
> > >> available"
> > >>
> > >> ...
> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: Mailbox
> > >> INBOX: UID=1: read() failed:
> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> > >> failed: Private key not available: Cannot decrypt key
> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> > >> Cannot
> > >> decrypt key
> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> > >> Password not available
> > >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> > >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Disconnected:
> > >> FETCH failed: Mailbox INBOX: UID=1: read() failed:
> > >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> > >> failed: Private key not available: Cannot decrypt key
> > >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> > >> Cannot
> > >> decrypt key
> > >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> > >> Password not available in=463 out=1872 deleted=0 expunged=0 trashed=0
> > >> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0
> > >>
> > >>
> > >> Aki Tuomi писал(а) 2022-01-31 11:33:
> > >> > try adding
> > >> >
> > >> > result_success = continue-ok
> > >> >
> > >> > to the oauth2 database.
> > >> >
> > >> > Aki
> > >> >
> > >> >> On 31/01/2022 11:27 Max Kostikov wrote:
> > >> >>
> > >> >>
> > >> >> Aki, thanks for your hint.
> > >> >> Unfortunatelly I can't get this work.
> > >> >> Here is my configuration.
> > >> >>
> > >> >> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> > >> >> passdb {
> > >> >>driver = oauth2
> > >> >>mechanisms = xoauth2 oauthbearer
> > >> >>args = /etc/dovecot/dovecot-oauth2.conf.ext
> > >> >> }
> > >> >> passdb {
> > >> >>driver = sql
> > >> >>skip = unauthenticated
> > >> >>args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> > >> >> }
> > >> >> passdb {
> > >> >>skip = authenticated
> > >> >>driver = sql
> > >> >>args = /etc/dovecot/dovecot-sql.conf.ext
> > >> >> }
> > >> >> userdb {
> > >> >>driver = sql
> > >> >>args = /etc/dovecot/dovecot-sql.conf.ext
> > >> >> }
> > >> >>
> > >> >> * In the dovecot-oauth2.conf.ext I have typical Google configuration.
> > >> >>
> > >> >> * dovecot-sql-encryption.conf.ext contains only SQL query for
> > >> >> password:
> > >> >>
> > >> >> password_query = \
> > >> >>SELECT \
> > >> >>150 AS userdb_uid, 8 AS userdb_gid, \
> > >> >>SHA2(CONCAT(username, random_key), 256) AS
> > >> >> userdb_mail_crypt_private_password, \
> > >> >>'Y' AS noauthenticate \
> > >> >>FROM mailbox WHERE username = '%u'
> > >> >>
> > >> >> * dovecot-sql.conf.ext contains normal password authentication
> > >> >> queries:
> > >> >>
> > >> >> password_query = \
> > >> >>SELECT username AS user, password, \
> > >> >>150 AS userdb_uid, 8 AS userdb_gid, \
> > >> >>SHA2(CONCAT(username, random_key), 256) AS
> > >> >> userdb_mail_crypt_private_password \
> > >> >>FROM mail
Re: Set mail crypt private password with OAUTH?
Hgm. You have userdb lookups enabled, why not just move the entire
mail_crypt_private_password handling there instead of passdb? This way it'll
work with LMTP/LDA as well.
So move all user related fields to the userdb lookup, and keep only the
authentication handling in passdb.
In your configuration, passdb lookups are not done for LMTP/LDA etc.
Aki
> On 31/01/2022 12:00 Max Kostikov wrote:
>
>
> Unfortunately there are no "master out" entries in the log, but I have
> "userdb out"
>
> Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out:
> USER#0111609564161#011max.kosti...@gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378
>
>
> Aki Tuomi писал(а) 2022-01-31 11:47:
> > Was the field present in auth debug logs, it should be shown in the
> > "master out" log line and also it should be visible on mail_debug=yes
> > logs as `plugin/mail_crypt_private_key_password`.
> >
> > Aki
> >
> >> On 31/01/2022 11:40 Max Kostikov wrote:
> >>
> >>
> >> Unfortunatelly I still get decryption error with "Password not
> >> available"
> >>
> >> ...
> >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: Mailbox
> >> INBOX: UID=1: read() failed:
> >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >> failed: Private key not available: Cannot decrypt key
> >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> Cannot
> >> decrypt key
> >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >> Password not available
> >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> >> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Disconnected:
> >> FETCH failed: Mailbox INBOX: UID=1: read() failed:
> >> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >> failed: Private key not available: Cannot decrypt key
> >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> Cannot
> >> decrypt key
> >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >> Password not available in=463 out=1872 deleted=0 expunged=0 trashed=0
> >> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0
> >>
> >>
> >> Aki Tuomi писал(а) 2022-01-31 11:33:
> >> > try adding
> >> >
> >> > result_success = continue-ok
> >> >
> >> > to the oauth2 database.
> >> >
> >> > Aki
> >> >
> >> >> On 31/01/2022 11:27 Max Kostikov wrote:
> >> >>
> >> >>
> >> >> Aki, thanks for your hint.
> >> >> Unfortunatelly I can't get this work.
> >> >> Here is my configuration.
> >> >>
> >> >> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> >> >> passdb {
> >> >>driver = oauth2
> >> >>mechanisms = xoauth2 oauthbearer
> >> >>args = /etc/dovecot/dovecot-oauth2.conf.ext
> >> >> }
> >> >> passdb {
> >> >>driver = sql
> >> >>skip = unauthenticated
> >> >>args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> >> >> }
> >> >> passdb {
> >> >>skip = authenticated
> >> >>driver = sql
> >> >>args = /etc/dovecot/dovecot-sql.conf.ext
> >> >> }
> >> >> userdb {
> >> >>driver = sql
> >> >>args = /etc/dovecot/dovecot-sql.conf.ext
> >> >> }
> >> >>
> >> >> * In the dovecot-oauth2.conf.ext I have typical Google configuration.
> >> >>
> >> >> * dovecot-sql-encryption.conf.ext contains only SQL query for
> >> >> password:
> >> >>
> >> >> password_query = \
> >> >>SELECT \
> >> >>150 AS userdb_uid, 8 AS userdb_gid, \
> >> >>SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password, \
> >> >>'Y' AS noauthenticate \
> >> >>FROM mailbox WHERE username = '%u'
> >> >>
> >> >> * dovecot-sql.conf.ext contains normal password authentication
> >> >> queries:
> >> >>
> >> >> password_query = \
> >> >>SELECT username AS user, password, \
> >> >>150 AS userdb_uid, 8 AS userdb_gid, \
> >> >>SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password \
> >> >>FROM mailbox WHERE username = '%u'
> >> >>AND active = '1'
> >> >>
> >> >> user_query = \
> >> >>SELECT \
> >> >>CONCAT('/var/vmail/', LCASE(maildir)) AS home, \
> >> >>CONCAT('maildir:/var/vmail/', LCASE(maildir)) AS mail, \
> >> >>150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota, \
> >> >>SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password \
> >> >>FROM mailbox WHERE username = '%u'
> >> >>AND active = '1'
> >> >>
> >> >> iterate_query = \
> >> >>SELECT username AS user FROM mailbox
> >> >>
> >> >> It seems now dovecot-sql-encryption.conf.ext is not i
Re: Set mail crypt private password with OAUTH?
Was the field present in auth debug logs, it should be shown in the "master
out" log line and also it should be visible on mail_debug=yes logs as
`plugin/mail_crypt_private_key_password`.
Aki
> On 31/01/2022 11:40 Max Kostikov wrote:
>
>
> Unfortunatelly I still get decryption error with "Password not
> available"
>
> ...
> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: Mailbox
> INBOX: UID=1: read() failed:
> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
>
> failed: Private key not available: Cannot decrypt key
> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870: Cannot
> decrypt key
> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> Password not available
> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com dovecot:
> imap(max.kosti...@gmail.com)<22267><59cRjt3Wbtx/AAAB>: Disconnected:
> FETCH failed: Mailbox INBOX: UID=1: read() failed:
> read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
>
> failed: Private key not available: Cannot decrypt key
> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870: Cannot
> decrypt key
> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> Password not available in=463 out=1872 deleted=0 expunged=0 trashed=0
> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0
>
>
> Aki Tuomi писал(а) 2022-01-31 11:33:
> > try adding
> >
> > result_success = continue-ok
> >
> > to the oauth2 database.
> >
> > Aki
> >
> >> On 31/01/2022 11:27 Max Kostikov wrote:
> >>
> >>
> >> Aki, thanks for your hint.
> >> Unfortunatelly I can't get this work.
> >> Here is my configuration.
> >>
> >> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> >> passdb {
> >>driver = oauth2
> >>mechanisms = xoauth2 oauthbearer
> >>args = /etc/dovecot/dovecot-oauth2.conf.ext
> >> }
> >> passdb {
> >>driver = sql
> >>skip = unauthenticated
> >>args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> >> }
> >> passdb {
> >>skip = authenticated
> >>driver = sql
> >>args = /etc/dovecot/dovecot-sql.conf.ext
> >> }
> >> userdb {
> >>driver = sql
> >>args = /etc/dovecot/dovecot-sql.conf.ext
> >> }
> >>
> >> * In the dovecot-oauth2.conf.ext I have typical Google configuration.
> >>
> >> * dovecot-sql-encryption.conf.ext contains only SQL query for
> >> password:
> >>
> >> password_query = \
> >>SELECT \
> >>150 AS userdb_uid, 8 AS userdb_gid, \
> >>SHA2(CONCAT(username, random_key), 256) AS
> >> userdb_mail_crypt_private_password, \
> >>'Y' AS noauthenticate \
> >>FROM mailbox WHERE username = '%u'
> >>
> >> * dovecot-sql.conf.ext contains normal password authentication
> >> queries:
> >>
> >> password_query = \
> >>SELECT username AS user, password, \
> >>150 AS userdb_uid, 8 AS userdb_gid, \
> >>SHA2(CONCAT(username, random_key), 256) AS
> >> userdb_mail_crypt_private_password \
> >>FROM mailbox WHERE username = '%u'
> >>AND active = '1'
> >>
> >> user_query = \
> >>SELECT \
> >>CONCAT('/var/vmail/', LCASE(maildir)) AS home, \
> >>CONCAT('maildir:/var/vmail/', LCASE(maildir)) AS mail, \
> >>150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota, \
> >>SHA2(CONCAT(username, random_key), 256) AS
> >> userdb_mail_crypt_private_password \
> >>FROM mailbox WHERE username = '%u'
> >>AND active = '1'
> >>
> >> iterate_query = \
> >>SELECT username AS user FROM mailbox
> >>
> >> It seems now dovecot-sql-encryption.conf.ext is not invoked
> >>
> >> Jan 31 09:11:45 example.com dovecot: imap-login: Login:
> >> user=, method=XOAUTH2, rip=127.0.0.1,
> >> lip=127.0.0.1, mpid=22615, TLS, session=
> >> Jan 31 09:11:45 example.com dovecot: auth: Debug: client in:
> >> AUTH#0111#011XOAUTH2#011service=imap#011secured=tls#011session=56F7LN3Wnsl/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=51614#011local_name=example.com#011resp=
> >> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> >> oauth2(f...@gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Performing passdb
> >> lookup
> >> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> >> oauth2(f...@gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Making token
> >> validation lookup to
> >> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
> >> Jan 31 09:11:45 example.com dovecot: auth: Debug: http-client[1]:
> >> queue
> >> https://www.googleapis.com:443: Using existing connection to
> >> 172.253.63.95:443 (SSL=www.googleapis.com) (1 requests pending)
> >> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]:
> >> request [Req9: GET
> >> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItC
Re: Set mail crypt private password with OAUTH?
try adding
result_success = continue-ok
to the oauth2 database.
Aki
> On 31/01/2022 11:27 Max Kostikov wrote:
>
>
> Aki, thanks for your hint.
> Unfortunatelly I can't get this work.
> Here is my configuration.
>
> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> passdb {
>driver = oauth2
>mechanisms = xoauth2 oauthbearer
>args = /etc/dovecot/dovecot-oauth2.conf.ext
> }
> passdb {
>driver = sql
>skip = unauthenticated
>args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> }
> passdb {
>skip = authenticated
>driver = sql
>args = /etc/dovecot/dovecot-sql.conf.ext
> }
> userdb {
>driver = sql
>args = /etc/dovecot/dovecot-sql.conf.ext
> }
>
> * In the dovecot-oauth2.conf.ext I have typical Google configuration.
>
> * dovecot-sql-encryption.conf.ext contains only SQL query for password:
>
> password_query = \
>SELECT \
>150 AS userdb_uid, 8 AS userdb_gid, \
>SHA2(CONCAT(username, random_key), 256) AS
> userdb_mail_crypt_private_password, \
>'Y' AS noauthenticate \
>FROM mailbox WHERE username = '%u'
>
> * dovecot-sql.conf.ext contains normal password authentication queries:
>
> password_query = \
>SELECT username AS user, password, \
>150 AS userdb_uid, 8 AS userdb_gid, \
>SHA2(CONCAT(username, random_key), 256) AS
> userdb_mail_crypt_private_password \
>FROM mailbox WHERE username = '%u'
>AND active = '1'
>
> user_query = \
>SELECT \
>CONCAT('/var/vmail/', LCASE(maildir)) AS home, \
>CONCAT('maildir:/var/vmail/', LCASE(maildir)) AS mail, \
>150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota, \
>SHA2(CONCAT(username, random_key), 256) AS
> userdb_mail_crypt_private_password \
>FROM mailbox WHERE username = '%u'
>AND active = '1'
>
> iterate_query = \
>SELECT username AS user FROM mailbox
>
> It seems now dovecot-sql-encryption.conf.ext is not invoked
>
> Jan 31 09:11:45 example.com dovecot: imap-login: Login:
> user=, method=XOAUTH2, rip=127.0.0.1,
> lip=127.0.0.1, mpid=22615, TLS, session=
> Jan 31 09:11:45 example.com dovecot: auth: Debug: client in:
> AUTH#0111#011XOAUTH2#011service=imap#011secured=tls#011session=56F7LN3Wnsl/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=51614#011local_name=example.com#011resp=
> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> oauth2(f...@gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Performing passdb
> lookup
> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> oauth2(f...@gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Making token
> validation lookup to
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
> Jan 31 09:11:45 example.com dovecot: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Using existing connection to
> 172.253.63.95:443 (SSL=www.googleapis.com) (1 requests pending)
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]:
> request [Req9: GET
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
>
> Submitted (requests left=1)
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]: peer
> 172.253.63.95:443: Using 1 idle connections to handle 1 requests (1
> total connections ready)
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Connection to peer 172.253.63.95:443
> claimed request [Req9: GET
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client: conn
> 172.253.63.95:443 [1]: Claimed request [Req9: GET
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]:
> request [Req9: GET
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
>
> Sent header
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client[1]: peer
> 172.253.63.95:443: No more requests to service for this peer (1
> connections exist, 0 pending)
> Jan 31 09:11:46 example.com dovecot: auth: Debug: http-client: conn
> 172.253.63.95:443 [1]: Got 200 response for request [Req9: GET
> https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bk
Re: Set mail crypt private password with OAUTH?
> On 28/01/2022 21:27 Max Kostikov wrote:
>
>
> We currently use Dovecot and mailbox encryption via the
> mail-crypt-plugin.
> With standard password authentication, we set the value of the
> individual
> password to encrypt the contents of the
> userdb_mail_crypt_private_password
> mailbox in the SQL query.
> Is it possible to set the userdb_mail_crypt_private_password value when
> authenticating via OAUTH2 ?
>
> --
> Best regards,
> Max Kostikov
You probably want to split your passdb drivers into two, one which does the
authentication and second which populates the private password value. This way
it should work correctly on both cases.
passdb {
driver = sql
skip = unauthenticated
...
}
and ensure your return in this sql query `'Y' as noauthenticate'`
Aki
