Results 1 to 10 of 10

Thread: imapsync authuser error

  1. #1
    Join Date
    Jan 2008
    Posts
    30
    Rep Power
    7

    Default imapsync authuser error

    I'm trying to migrate some users from cyrus using imapsync

    I have an admin user set up on the cyrus box and am using a command line like this:

    /usr/bin/imapsync --nosyncacls --syncinternaldates --host1 mail.mydomain.com --authuser1 adminuser -password1 adminPassword --user1 rg01 --host2 localhost --user2 richard@mydomain.com --password2 userPass --noauthmd5

    Trouble is, I get this error:

    Banner : * OK myserver Cyrus IMAP4 v2.2.3 server ready
    Host mail.mydomain.com says it has NO CAPABILITY for AUTHENTICATE LOGIN
    Error login : [mail.mydomain.com] with user [rg01] auth [LOGIN]: 3 NO Login failed: authentication failure

    3 NO Login failed: authentication failure
    ...propagated at /usr/bin/imapsync line 676.

    So that looks like it's still trying to authenticate as rg01

    I check the logs on the other server and sure enough, there's a badlogin for rg01 - authentication failure checkpass failed.

    has anyone else experienced this problem? Is there an error in my command line above?

    Any help would be very much appreciated.

    Thanks,

    Russell

  2. #2
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Following IESG guidelines, Cyrus 2.2.3 doesn't allow AUTHENTICATE LOGIN unless SSL/TLS has been negotiated.

    Use the --ssl1 option to imapsync, which in turn requires some dependencies.

    Alternatively, there are various Cyrus patches floating around to allow AUTHENTICATE LOGIN from 127.0.0.1, or generally. You can try allowplaintext: yes but I vaguely recall some limitationsto that.

  3. #3
    Join Date
    Jan 2008
    Posts
    30
    Rep Power
    7

    Default

    This doesn't seem to be my problem.

    I can use ssl etc, but the error on the server1 logs is still that there's an authentication error for rg01 - not for the user mailtransport

    The rg01 account is provisioned on the zimbra server. The zimbra server log isn't showing any errors and I don;t believe there's any problem there.

    My problem is just that --authuser1 is set, but imapsync doesn't appear to be trying to authenticate using it.

  4. #4
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Well, "NO CAPABILITY for AUTHENTICATE LOGIN" is pretty clear. Your Cyrus server wouldn't happen to behind a proxy that fiddles with CAPABILITY output, would it?

    You'd think it would be redundant, but try

    imapsync --authmech1 PLAIN --authmech2 PLAIN

    In Cyrus imapd.conf, do you have sasl_mech_list: PLAIN LOGIN? If you only have sasl_mech_list: LOGIN, that would also explain it.

  5. #5
    Join Date
    Jan 2008
    Posts
    30
    Rep Power
    7

    Default Not clear at all

    Well, "NO CAPABILITY for AUTHENTICATE LOGIN" is pretty clear. Your Cyrus server wouldn't happen to behind a proxy that fiddles with CAPABILITY output, would it?
    It's not really that clear - you get exactly the same error message with an incorrect password.

    I think imapsync is being pretty clear that it's trying to log in as rg01 not authuser1

    If I add --debugimap I see this in the output:

    Error login : [mail.xxx.xxx] with user [rg01] auth [CRAM-MD5]: 2 NO authentication failure

    My sasl_mech_list line includes PLAIN LOGIN CRAM-MD5 and DIGEST-MD5

  6. #6
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    An allow_auth_plain_proxying patch is required for Cyrus even if you have allowplaintext: yes. Google for it.

    "NO CAPABILITY for AUTHENTICATE LOGIN" is pretty straightforward.

    Here's an example server that disallows plaintext login (LOGINDISABLED).

    Code:
    $ telnet mail.example.com 143
    * OK IMAP4 ready
    . capability
    * CAPABILITY IMAP4rev1 LOGINDISABLED BINARY CHILDREN ID LITERAL+ LOGIN-REFERRALS NAMESPACE QUOTA SASL-IR UIDPLUS UNSELECT STARTTLS
    . OK completed
    . logout
    If the server allows plaintext, it will say AUTH=PLAIN.

    Code:
    $ openssl s_client -quiet -connect mail.example.com:993
    * OK mail.example.com Zimbra IMAP4rev1 service ready
    . capability
    * CAPABILITY IMAP4rev1 AUTH=PLAIN ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ID IDLE LIST-EXTENDED LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QUOTA RIGHTS=ektx SASL-IR UIDPLUS UNSELECT WITHIN X-DRAFT-I05-SEARCHRES X-DRAFT-W05-QRESYNC
    . OK CAPABILITY completed
    . logout

  7. #7
    Join Date
    Jan 2008
    Posts
    30
    Rep Power
    7

    Default

    I still think my problem is with imapsync PLAIN login is enabled and functioning.

    Code:
    russell@zimbra:~$ openssl s_client -quiet -connect mail.mydomain.com:993
    depth=0 /C=UK/ST=Scotland/L=Edinburgh/O=HQ/OU=mail.mydomain.com/CN=mail.mydomain.com/emailAddress=postmaster@mydomain.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=UK/ST=Scotland/L=Edinburgh/O=HQ/OU=mail.mydomain.com/CN=mail.mydomain.com/emailAddress=postmaster@mydomain.com
    verify return:1
    * OK paddington Cyrus IMAP4 v2.2.3 server ready
    1 capability
    * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
    1 OK Completed
    There is nothing in the cyrus logs to indicate any problem other than login failures for rg01 - the user who's mailbox I am trying to move. I believe imapsync should be trying to login as the user specified as --authuser1

  8. #8
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    That should be fine. Try an older version of imapsync, and/or caveman debugging within the script. Wouldn't be the first regression. Maybe it's confused by too many AUTH= atoms, or something. I also vaguely recall needing to force --authmech1 PLAIN --authmech2 PLAIN.

    I used imapsync 2.19 happily back in July/August. My full command line:

    Code:
    imapsync219 --host1 foo --host2 bar\
     --buffersize 8192000 \
     --user1 $* --user2 $*@migrate --nosyncacls --noauthmd5 --ssl1 --ssl2 --sep1 /\
     --exclude '^Trash$|^trash$|^Deleted Messages$' \
     --syncinternaldates --authuser1 cyrus --authuser2 admin\
     --useheader Message-ID --useheader Date --skipsize --subscribe --prefix1 ''\
     --expunge2 --passfile1 .cyrus --passfile2 .admin  --authmech1 PLAIN --authmech2 PLAIN --delete2\
     --expunge1 --regextrans2 's/^Calendar$/Calendar (old)/' \
     --regextrans2 's/^CALENDAR/CALENDAR (old)/' \
     --regextrans2 's/^Contacts$/Contacts (old)/'\
     --regextrans2 's/^Notes$/Notes (old)/'\
     --regextrans2 's/^calendar$/calendar (old)/'\
     --regextrans2 's/^contacts$/contacts (old)/'\
     --regextrans2 's/^notes$/notes (old)/' --regextrans2 's/: / /g'\
     --regextrans2 's/://' --regextrans2 's/^Contacts\//Contacts (old)\//i'\
     --regextrans2 's/^Calendar\//Calendar\//i'\
     --regextrans2 's/^Notes\//Notes (old)\//i'

  9. #9
    Join Date
    Nov 2010
    Posts
    3
    Rep Power
    5

    Default It Works

    I had to reply to this. I had similar issue even 10 minutes ago. Using --authmech1 PLAIN --authmech2 PLAIN solved my issue. Now I have my big smile on my face

  10. #10
    Join Date
    Dec 2010
    Posts
    2
    Rep Power
    4

    Default

    i am also smile with this solution : --authmech1 PLAIN --authmech2 PLAIN, after i have add this, to run this script:
    . imap_users #if in the same folder as imap_users else full-path to imap_users (e.g = " . /path/to/imap_users")

    src_srv = zimbra.server.com
    dest_srv = backup.server.com

    for ((i = 0 ; i < ${#users[@]} ; i++ ))
    do
    /usr/bin/imapsync --noauthmd5 --syncinternaldates --subscribe \
    --host1 $src_srv --ssl1 --user1 ${users[$i]} --authuser1 adminusername --password1 adminpassword \
    --host2 $dest_srv --ssl2 --user2 ${users[$i]} --authuser2 adminusername --password2 adminpassword \
    --authmech1 PLAIN --authmech2 PLAIN

    done

Similar Threads

  1. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  2. [SOLVED] Debian Etch 32 / 64: MTA not working
    By xflip in forum Installation
    Replies: 2
    Last Post: 01-18-2008, 04:58 AM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  4. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM
  5. Building native libraries on MacOS X
    By ajmas in forum Developers
    Replies: 3
    Last Post: 10-15-2005, 12:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •