1

Topic: Encrypted emails greyed out in SOGO

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi,

I have installed Iredmail, configured Sogo + Dovecot mailserver. Everything was working fine out of the box. Then I added Dovecot mail_crypt encryption plugin to the config. It seems to do the job - emails are getting encrypted, sent and received fine, stored etc. The only issue - emails are not being showed by Sogo (or to be more precise sort of a greyed out silhouette is being shown). The number of messages/emails is being showed correctly. The only possibly related error in Sogo logs was this:  [ERROR] <0x0x55f5a316b440[NGImap4Connection]> Error fetching 3 uids for url: imaps://(account/server data). Any ideas?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Encrypted emails greyed out in SOGO

No idea at all. Did you try to restart SOGo + Memcached services?

P.S. I saw your post in SOGo mailing list too.

3

Re: Encrypted emails greyed out in SOGO

Yep, that was first thing we tried...restart didn't help though... I tried sending some more test emails - the number of messages changes, reflecting the correct number of messages on the server but Sogo fails to read them it seems.

4

Re: Encrypted emails greyed out in SOGO

Did you try other webmail (e.g. Roundcube) or desktop MUA? Do they work?

5

Re: Encrypted emails greyed out in SOGO

ZhangHuangbin wrote:

Did you try other webmail (e.g. Roundcube) or desktop MUA? Do they work?

Is it safe to install Roundcube from my OS's repo? I haven't selected the option to install Roundcube during Iredmail setup.

Windows default mail client software gives out this error: Something went wrong. We're having a problem downloading messages. Try again later.

6

Re: Encrypted emails greyed out in SOGO

SERVERIA wrote:

Is it safe to install Roundcube from my OS's repo?

Didn't test this at all, iRedMail uses the "-complete" source tarball from Roundcube website.

SERVERIA wrote:

Windows default mail client software gives out this error: Something went wrong. We're having a problem downloading messages. Try again later.

Any error in /var/log/dovecot/*.log on iRedMail server?

7

Re: Encrypted emails greyed out in SOGO

ZhangHuangbin wrote:
SERVERIA wrote:

Is it safe to install Roundcube from my OS's repo?

Didn't test this at all, iRedMail uses the "-complete" source tarball from Roundcube website.

SERVERIA wrote:

Windows default mail client software gives out this error: Something went wrong. We're having a problem downloading messages. Try again later.

Any error in /var/log/dovecot/*.log on iRedMail server?

Only error which is getting logged is this: failed: Private key not available: Cannot decrypt key ### Cannot decrypt key ### <8632: Password not available (FETCH RFC822.HEADER)

I did create the private key using this command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u
mail@example.org -URf (note it's dummy data in password/mailbox fields)

8

Re: Encrypted emails greyed out in SOGO

The error is clear. Is dovecot configured to use the correct private key path?

9

Re: Encrypted emails greyed out in SOGO

ZhangHuangbin wrote:

The error is clear. Is dovecot configured to use the correct private key path?

Where the path should be configured? Is it dovecot.conf? I followed this tutorial closely: https://doc.dovecot.org/configuration_m … t_plugin/. The path is not mentioned there just these lines:

mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt

plugin {
  mail_crypt_curve = secp521r1
  mail_crypt_save_version = 2
  mail_crypt_require_encrypted_user_key = yes
}

Where exactly the path should be specified? I guess some sort of default value is being used?

10

Re: Encrypted emails greyed out in SOGO

Seems you read half tutorial but not complete sad
If you use per-user encrypt key, then make sure you have the key in user_db lookup result. If you use global key, then you should have settings in dovecot.conf like below. All mentioned in your link.

plugin {
  mail_crypt_global_private_key = <rsaprivkey.pem
  mail_crypt_global_private_password = qwerty
  mail_crypt_global_public_key = <rsapubkey.pem
  mail_crypt_save_version = 2
}

11

Re: Encrypted emails greyed out in SOGO

ZhangHuangbin wrote:

Seems you read half tutorial but not complete sad
If you use per-user encrypt key, then make sure you have the key in user_db lookup result. If you use global key, then you should have settings in dovecot.conf like below. All mentioned in your link.

plugin {
  mail_crypt_global_private_key = <rsaprivkey.pem
  mail_crypt_global_private_password = qwerty
  mail_crypt_global_public_key = <rsapubkey.pem
  mail_crypt_save_version = 2
}

I'm aware of this. I'm trying to use per-user keys. And it seems there is some issue with the query, it can't fetch the password:

password_query = SELECT \
  username as user, password, \
  '%w' AS userdb_mail_crypt_private_password \
  FROM mailbox  WHERE username='%u';

If I run it from mysql prompt it returns 0 lines although the table is populated. So is it something wrong with the query? The structure is as follows: db name is vmail, table name is mailbox, column names are username and password.

12 (edited by SERVERIA 2022-08-30 05:40:13)

Re: Encrypted emails greyed out in SOGO

I have discussed this with Dovecot support. According to them the issue is due to Dovecot users being master users (master_user). Here's what they said:

"If you are logging is master_user, there will be different password
than normal user. Usually. With your setup, you can only access user's
mail if you are using the exact same password that the user was using.

Your logs seem to indicate that you are logging as master_user, so you
are probably unable to access mails."

I have never specified anywhere that newly created users should be master users. Does that mean iredmail is creating all new users as master users? Is there any way to avoid it or remove the master_user flag? Please comment.

UPDATE: /etc/dovecot/dovecot-master-users file doesn't contain my user's data

UPDATE #2: it seems that master_user is being added to every mail user for no reason (from Dovecot log): Debug: Added userdb setting: plugin/master_user=myuser@mydomain.xyz

13

Re: Encrypted emails greyed out in SOGO

Remove "LOWER('%u') AS master_user," from "user_query =" in /etc/dovecot/dovecot.conf and try again:
https://github.com/iredmail/iRedMail/bl … l.conf#L18

14

Re: Encrypted emails greyed out in SOGO

There is no "user_query =" in /etc/dovecot/dovecot.conf

15

Re: Encrypted emails greyed out in SOGO

My bad, it's /etc/dovecot/dovecot-mysql.conf.

16

Re: Encrypted emails greyed out in SOGO

Hi,

Ok, I removed the line you suggested but it doesn't seem to work. Dovecot support replied with this:

"Your logs indicate that you are, still, using master userdb. This will not work. You cannot use master users with per-user encryption passwords in the way you do. If you want to use master users / master password, you must not encrypt the user key.

Maybe consider removing the master user authentication completely?"

Any suggestions?

17

Re: Encrypted emails greyed out in SOGO

SERVERIA wrote:

Hi,

Ok, I removed the line you suggested but it doesn't seem to work. Dovecot support replied with this:

"Your logs indicate that you are, still, using master userdb. This will not work. You cannot use master users with per-user encryption passwords in the way you do. If you want to use master users / master password, you must not encrypt the user key.

Maybe consider removing the master user authentication completely?"

Any suggestions?

Hi, any update on this issue please? I have rebuilt the entire project from scratch now, using vanilla versions of Dovecot, Postfix, webmail etc and everything works as expected: emails are getting encrypted, I'm able to send, receive and read emails in webmail. So the issue is most probably iredmail related...