1 Topic by gizah

  • gizah
  • Member
  • Offline
  • Registered: 2016-04-07
  • Posts: 2

Topic: Possible to call a user script on user modification/creation?

I'm planning to migrate to a per user fully encrypted setup using the mail-crypt plugin provided by dovecot.

For this to work and be maintenance free (or light) I'd need to call shell script post user modification or creation, passing username password.
Do such hooks currently exist?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Possible to call a user script on user modification/creation?

*) Call shell script from iRedAdmin?
*) Why passing password?

3 Reply by gizah (edited by gizah 2017-10-14 01:39:32)

  • gizah
  • Member
  • Offline
  • Registered: 2016-04-07
  • Posts: 2

Re: Possible to call a user script on user modification/creation?

The way it would be setup is that dovecot encrypts the stored mail with a public/private key system.

On user creation a command (doveadm) has to be given to dovecot to create the keypair and lock/encrypt the private key using the users (cleartext) password.

This way incoming mail is encrypted using the public key from the user.

Then if a user logs in using IMAP or POP3 dovecot passes the cleartext password to the encryption plugin which unlocks/decrypts the private key and proceeds to make the mail readable, as well as decrypting fts userstore.

If the users password is modified doveadm needs to be run again, this time both the old and new password are required to be successful in reencrypting the privatekey using the new password (unlock private key using old password -> private key -> lock again using new password).

Obviously if user forgets their password all their mail is lost, there is no way to recover without exploiting weaknesses in algorithm (that don't exist as far was we know) or bruteforcing,

So for this to work I would need to have a way to pass the plaintext passwords to a shelll script.

-edit- if such facilities exist and are reasonably accessible I'll write some scripts and a guide after testing and validating the setup wink

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Possible to call a user script on user modification/creation?

iRedAdmin-Pro OpenLDAP edition implements few hooks you can use, one of them is: hook_after_creating_user. But no hook support for updating password YET.

I'm ok to implement the hook with iRedAdmin-Pro for you, this encrypt/decrypt mech might be useful to other users too.

Note: iRedAdmin open source edition doesn't support hook.

# What are hooks

Hooks are custom functions defined in file `hooks.py` (under same directory
of `settings.py`), it's used to perform some operations without modifying
iRedAdmin-Pro source code, this way it's easier to maintain your own
customizations.