imapsync authuser error

[albanach]

I'm trying to migrate some users from cyrus using imapsync

I have an admin user set up on the cyrus box and am using a command line like this:

/usr/bin/imapsync --nosyncacls --syncinternaldates --host1 mail.mydomain.com --authuser1 adminuser -password1 adminPassword --user1 rg01 --host2 localhost --user2 richard@mydomain.com --password2 userPass --noauthmd5

Trouble is, I get this error:

Banner : * OK myserver Cyrus IMAP4 v2.2.3 server ready
Host mail.mydomain.com says it has NO CAPABILITY for AUTHENTICATE LOGIN
Error login : [mail.mydomain.com] with user [rg01] auth [LOGIN]: 3 NO Login failed: authentication failure

3 NO Login failed: authentication failure
...propagated at /usr/bin/imapsync line 676.

So that looks like it's still trying to authenticate as rg01

I check the logs on the other server and sure enough, there's a badlogin for rg01 - authentication failure checkpass failed.

has anyone else experienced this problem? Is there an error in my command line above?

Any help would be very much appreciated.

Thanks,

Russell

[Rich Graves]

Following IESG guidelines, Cyrus 2.2.3 doesn't allow AUTHENTICATE LOGIN unless SSL/TLS has been negotiated.

Use the --ssl1 option to imapsync, which in turn requires some dependencies.

Alternatively, there are various Cyrus patches floating around to allow AUTHENTICATE LOGIN from 127.0.0.1, or generally. You can try allowplaintext: yes but I vaguely recall some limitationsto that.

[albanach]

This doesn't seem to be my problem.

I can use ssl etc, but the error on the server1 logs is still that there's an authentication error for rg01 - not for the user mailtransport

The rg01 account is provisioned on the zimbra server. The zimbra server log isn't showing any errors and I don;t believe there's any problem there.

My problem is just that --authuser1 is set, but imapsync doesn't appear to be trying to authenticate using it.

[Rich Graves]

Well, "NO CAPABILITY for AUTHENTICATE LOGIN" is pretty clear. Your Cyrus server wouldn't happen to behind a proxy that fiddles with CAPABILITY output, would it?

You'd think it would be redundant, but try

imapsync --authmech1 PLAIN --authmech2 PLAIN

In Cyrus imapd.conf, do you have sasl_mech_list: PLAIN LOGIN? If you only have sasl_mech_list: LOGIN, that would also explain it.

[albanach]

Well, "NO CAPABILITY for AUTHENTICATE LOGIN" is pretty clear. Your Cyrus server wouldn't happen to behind a proxy that fiddles with CAPABILITY output, would it?

It's not really that clear - you get exactly the same error message with an incorrect password.

I think imapsync is being pretty clear that it's trying to log in as rg01 not authuser1

If I add --debugimap I see this in the output:

Error login : [mail.xxx.xxx] with user [rg01] auth [CRAM-MD5]: 2 NO authentication failure

My sasl_mech_list line includes PLAIN LOGIN CRAM-MD5 and DIGEST-MD5

[Rich Graves]

An allow_auth_plain_proxying patch is required for Cyrus even if you have allowplaintext: yes. Google for it.

"NO CAPABILITY for AUTHENTICATE LOGIN" is pretty straightforward.

Here's an example server that disallows plaintext login (LOGINDISABLED).

Code:

$ telnet mail.example.com 143
* OK IMAP4 ready
. capability
* CAPABILITY IMAP4rev1 LOGINDISABLED BINARY CHILDREN ID LITERAL+ LOGIN-REFERRALS NAMESPACE QUOTA SASL-IR UIDPLUS UNSELECT STARTTLS
. OK completed
. logout

If the server allows plaintext, it will say AUTH=PLAIN.

Code:

$ openssl s_client -quiet -connect mail.example.com:993
* OK mail.example.com Zimbra IMAP4rev1 service ready
. capability
* CAPABILITY IMAP4rev1 AUTH=PLAIN ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ID IDLE LIST-EXTENDED LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QUOTA RIGHTS=ektx SASL-IR UIDPLUS UNSELECT WITHIN X-DRAFT-I05-SEARCHRES X-DRAFT-W05-QRESYNC
. OK CAPABILITY completed
. logout

[albanach]

I still think my problem is with imapsync PLAIN login is enabled and functioning.

Code:

russell@zimbra:~$ openssl s_client -quiet -connect mail.mydomain.com:993
depth=0 /C=UK/ST=Scotland/L=Edinburgh/O=HQ/OU=mail.mydomain.com/CN=mail.mydomain.com/emailAddress=postmaster@mydomain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=UK/ST=Scotland/L=Edinburgh/O=HQ/OU=mail.mydomain.com/CN=mail.mydomain.com/emailAddress=postmaster@mydomain.com
verify return:1
* OK paddington Cyrus IMAP4 v2.2.3 server ready
1 capability
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
1 OK Completed

There is nothing in the cyrus logs to indicate any problem other than login failures for rg01 - the user who's mailbox I am trying to move. I believe imapsync should be trying to login as the user specified as --authuser1

[Rich Graves]

That should be fine. Try an older version of imapsync, and/or caveman debugging within the script. Wouldn't be the first regression. Maybe it's confused by too many AUTH= atoms, or something. I also vaguely recall needing to force --authmech1 PLAIN --authmech2 PLAIN.

I used imapsync 2.19 happily back in July/August. My full command line:

Code:

imapsync219 --host1 foo --host2 bar\
 --buffersize 8192000 \
 --user1 $* --user2 $*@migrate --nosyncacls --noauthmd5 --ssl1 --ssl2 --sep1 /\
 --exclude '^Trash$|^trash$|^Deleted Messages$' \
 --syncinternaldates --authuser1 cyrus --authuser2 admin\
 --useheader Message-ID --useheader Date --skipsize --subscribe --prefix1 ''\
 --expunge2 --passfile1 .cyrus --passfile2 .admin  --authmech1 PLAIN --authmech2 PLAIN --delete2\
 --expunge1 --regextrans2 's/^Calendar$/Calendar (old)/' \
 --regextrans2 's/^CALENDAR/CALENDAR (old)/' \
 --regextrans2 's/^Contacts$/Contacts (old)/'\
 --regextrans2 's/^Notes$/Notes (old)/'\
 --regextrans2 's/^calendar$/calendar (old)/'\
 --regextrans2 's/^contacts$/contacts (old)/'\
 --regextrans2 's/^notes$/notes (old)/' --regextrans2 's/: / /g'\
 --regextrans2 's/://' --regextrans2 's/^Contacts\//Contacts (old)\//i'\
 --regextrans2 's/^Calendar\//Calendar\//i'\
 --regextrans2 's/^Notes\//Notes (old)\//i'

[tawfiqul.bari]

I had to reply to this. I had similar issue even 10 minutes ago. Using --authmech1 PLAIN --authmech2 PLAIN solved my issue. Now I have my big smile on my face

[jetbar]

i am also smile with this solution : --authmech1 PLAIN --authmech2 PLAIN, after i have add this, to run this script:
. imap_users #if in the same folder as imap_users else full-path to imap_users (e.g = " . /path/to/imap_users")

src_srv = zimbra.server.com
dest_srv = backup.server.com

for ((i = 0 ; i < ${#users[@]} ; i++ ))
do
/usr/bin/imapsync --noauthmd5 --syncinternaldates --subscribe \
--host1 $src_srv --ssl1 --user1 ${users[$i]} --authuser1 adminusername --password1 adminpassword \
--host2 $dest_srv --ssl2 --user2 ${users[$i]} --authuser2 adminusername --password2 adminpassword \
--authmech1 PLAIN --authmech2 PLAIN

done