imapsync icon indicating copy to clipboard operation
imapsync copied to clipboard
verified publisher icon imapsync

Can't proxyauth to cyrus imap (BAD Unrecognized command)

Open flagmonkey opened this issue 4 years ago • 6 comments

Hi,

i am trying to use imapsync-1.882 (first time using this tool) to sync Mailboxes from a very old Cyrus imap-server (2.1.18) to a modern version of docevot. I never used proxyauth before. I added the admin User to the Cyrus Conf:

# grep tt-admin /etc/imapd.conf
admins: root adminuser
proxyservers: cyrus adminuser

I want to sync E-Mails from syncmepls to [email protected] on host2 (localhost where imapsync is running). This is what i use to sync:

./imapsync --host1 x.x.x.x --tls1 --user1 syncmepls --authuser1 adminuser --proxyauth1 --password1 MASKED --host2 localhost --tls2 --user2 [email protected] --password2 MASKED --dry

Host1: will try to use PLAIN authentication on host1
Host2: will try to use LOGIN authentication on host2
Host1: IMAP server [x.x.x.x] port [143] user [syncmepls]
Host2: IMAP server [localhost] port [143] user [[email protected]]
Host1: connecting and login on host1 [x.x.x.x] port [143] with user [syncmepls]
Host1 IP address: x.x.x.x
Host1 banner: * OK mx5 Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1 server ready
Host1 capability before authentication: IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE
Host1: Socket successfuly converted to SSL
Host1: x.x.x.x says it has NO CAPABILITY for AUTHENTICATE PLAIN
Host1: frequently PLAIN is only supported with SSL, try --ssl or --tls options
Host1 failure: Error doing proxyauth as user [syncmepls] on [x.x.x.x] using proxy-login as [adminuser]: 5 BAD Unrecognized command

Any help with this would be greatly appreciated.

flagmonkey avatar Feb 18 '21 13:02 flagmonkey

What happens without --proxyauth1 ?

https://imapsync.lamiral.info/FAQ.d/FAQ.Cyrus.txt

======================================================================
Q. How to migrate from cyrus with an admin account?

R. Use:
 
 imapsync ... \
   --authuser1 admin_user  ----password1 admin_user_password \
   --user1 foo_user --ssl1

Instead of --ssl1 the alternative --tls1 can be used.
With --authuser1, the option --authmech1 PLAIN is set
automatically, you don't have to add it.

PLAIN authentication is the only way to go with --authuser1 for now.
So don't use --authmech1 SOMETHING with --authuser1 admin_user,
it will not work.
Same behavior with the --authuser2 option.

Do not forget the option --ssl1 or --tls1 since PLAIN auth is only
supported with ssl encryption most of the time. But it can
work without --ssl1 nor --tls1 if PLAIN is permitted in clear text
transmissions (the normal mode).

Add the AdminAccount to admins line in /etc/imapd.conf
Give AdminAccount lrswipkxtecda to the Cyrus Imap account 
being migrated from, "joe" here.


Here is an example:
 imapsync \
	--host1 server1 \
	--user1 joe \
	--authuser1 AdminAccount \
	--password1 AdminAccountPassword \
	--ssl1 \
	--host2 server2 \
	--user2 joe \
	--password2 joespassonserver2 \
	--exclude "^user\."

=======================================================================

gilleslamiral avatar Feb 19 '21 13:02 gilleslamiral

This is what i get without --proxyauth1:

Host1 failure: Error login on [x.x.x.x] with user [syncmepls] auth [PLAIN]: 4 NO no mechanism available

flagmonkey avatar Feb 19 '21 14:02 flagmonkey

This is what i get without --proxyauth1: Host1 failure: Error login on [x.x.x.x] with user [syncmepls] auth [PLAIN]: 4 NO no mechanism available

It looks better. Maybe you could dig into the Cyrus admin auth mechanism. What say the Cyrus log?

I found https://serverfault.com/questions/405562/postfix-sasl-login-failing-no-mechanism-found Despite the title, there is Cyrus stuff in it.

gilleslamiral avatar Feb 19 '21 16:02 gilleslamiral

Now the cyrus log says:

PLAIN [SASL(-4): no mechanism available: Couldn't find mech PLAIN]

The cyrus machine has:

x.x.x.x:~# grep -i plain /etc/imapd.conf| grep -v '#'
allowplaintext: yes
sasl_mech_list: PLAIN

/usr/sbin/saslauthd is running

/etc/pam.d/imap

auth       optional     pam_mysql.so user=xxx passwd=xxx db=xxx table=xxx usercolumn=xxx passwdcolumn=xxx crypt=1
account    required     pam_mysql.so user=xxx passwd=xxx db=xxx table=xxx usercolumn=xxx passwdcolumn=xxx crypt=1

flagmonkey avatar Feb 22 '21 12:02 flagmonkey

Digging little deeper on the cyrus box:

imtest -u syncmepls-a adminuser -m PLAIN -w password localhost

S: * OK Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE
S: C01 OK Completed
Authentication failed. no mechanism available
Security strength factor: 0

imtest -u syncmepls -a adminuser -w password localhost

S: * OK Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE
S: C01 OK Completed
C: L01 LOGIN adminuser{7}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.

flagmonkey avatar Feb 22 '21 13:02 flagmonkey

I don't see anything with the user "syncmepls" in the successful second dialogue, in both imap dialogues actually.

gilleslamiral avatar Feb 22 '21 14:02 gilleslamiral