Commit 485a2b6c authored by ale's avatar ale

Return mail_crypt_save_version=2 on responses

parent 0f7cdc55
Pipeline #1600 passed with stages
in 1 minute and 13 seconds
......@@ -61,6 +61,13 @@ private keys from LDAP, and serve the *unencrypted* keys to Dovecot
using its [dict proxy
*NOTE* that passdb lookups using *dovecot-keylookupd* contain the
cleartext password as part of the key, which may be logged in case of
error! This is currently a huge limitation of this solution, but there
seems to be no workaround that does not involve switching to a
fork()-based solution (like the checkpassword script). That might be a
better solution long-term.
TODO: explain the lookup protocol.
# Configuration
......@@ -42,18 +42,40 @@ func (c *Config) check() error {
return c.LDAPConfig.Valid()
// The response returned to userdb lookups. It contains the user's
// public key as a global key for the mail_crypt plugin, and it sets
// mail_crypt_save_version to 2. The idea is that you would then set
// mail_crypt_save_version = 0 in the global Dovecot configuration,
// which would then disable encryption for users without encryption
// keys. For details on what this means, see
type userdbResponse struct {
PublicKey string `json:"mail_crypt_global_public_key"`
SaveVersion int `json:"mail_crypt_save_version"`
func newUserDBResponse(publicKey string) *userdbResponse {
return &userdbResponse{
PublicKey: publicKey,
SaveVersion: 2,
// The response returned to passdb lookups. We return the user's
// private key and the mail_crypt_save_version attribute as userdb
// parameters (hence the 'userdb_' prefix), and set the noauthenticate
// bit to inform Dovecot that this lookup is only meant to provide
// additional data, not authentication.
type passdbResponse struct {
PrivateKey string `json:"userdb_mail_crypt_global_private_key"`
SaveVersion int `json:"userdb_mail_crypt_save_version"`
NoAuth bool `json:"noauthenticate"`
func newPassDBResponse(privateKey string) *passdbResponse {
return &passdbResponse{
PrivateKey: privateKey,
SaveVersion: 2,
NoAuth: true,
......@@ -123,7 +145,7 @@ func (s *KeyLookupProxy) lookupUserdb(ctx context.Context, username string) (int
return nil, false, nil
log.Printf("userdb lookup for %s", username)
return &userdbResponse{PublicKey: s.b64encode(pub)}, true, nil
return newUserDBResponse(s.b64encode(pub)), true, nil
func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password string) (interface{}, bool, error) {
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment