Ubuntu – Using ecryptfs encrypted home directories with Dovecot

I have setup home directory encryption on Ubuntu 10.04 machine, but ecryptfs does not seem to be able to work with Dovecot (or CourierIMAP, etc).

After successful IMAP login, home directory is never mounted, and Dovecot obviously can not find mail directory.

I am not sure I understand how the mount is triggered, so I need some help.

Dovecot is using PAM, so I hoped that after successful login home directory would be mounted, but this is all I get in logs and directory is not mounted:

Jan 16 02:12:37 ubuntu dovecot-auth: pam_sm_authenticate: Called
Jan 16 02:12:37 ubuntu dovecot-auth: pam_sm_authenticate: username = [username]
Jan 16 02:12:37 ubuntu dovecot-auth: Passphrase file wrapped
Jan 16 02:12:38 ubuntu dovecot-auth: Error attempting to add filename encryption key to user session keyring; rc = [1]
Jan 16 02:12:38 ubuntu dovecot: imap-login: Login: user=<username>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

If I create an SSH session and then perform IMAP login, it works (obviously) but I get this:

Jan 16 02:30:25 ubuntu dovecot-auth: pam_sm_authenticate: Called
Jan 16 02:30:25 ubuntu dovecot-auth: pam_sm_authenticate: username = [username]
Jan 16 02:30:25 ubuntu dovecot-auth: pam_sm_authenticate: /home/username is already mounted

So, it does seem like Dovecot (well, PAM module, I guess) is trying to mount the home directory, but it either mounts and dismounts it immediately or something else happen – and I am unable to figure out that part.

I have also tried using SSHD's PAM file for Dovecot, but nothing really changed, except the fact I was not getting the error message ("Error attempting to add filename encryption key to user session keyring…").

On Ubuntu community Dovecot page (https://help.ubuntu.com/community/Dovecot) there is a paragraph that says:

NOTE: Dovecot will NOT work in an encrypted directory/folder. Dovecot would just complain about permissions and wont work. One answer is to create a 2nd user account that has an unencrypted home directory. We have not tested this solution on a separate home partition, but most probably the outcome would be the same.

However, I am not sure if this is definitive answer (and I don't understand what they mean with having 2nd user account).

I would appreciate if someone could tell me if it is possible to use Dovecot (with mail directory inside user's home directory) with ecryptfs.

I have seen this question (and borrowed some wording from it 🙂 on Launchpad's ecryptfs questions page (but no answer to it), so seems like I am not the only one with the problem.

Thanks.

Best Answer

The problem is that pam_ecryptfs captures and uses your login passphrase to decrypt ~/.ecryptfs/wrapped-passphrase, and perform your home directory mount.

Unfortunately the non-interactive dovecot pam session that you describe doesn't ever actually snag your login passphrase, so it cannot perform the mount. Sorry.

Best Answer

Related Solutions

Dovecot floods logs with “disconnected”-messages

Dovecot login with username and no @domain.com extension

Related Topic