1. Janos SUTO Avatar Janos SUTO
  2. Piler
  3. piler
  4. Issues

pilerimport for imap doesn't seem to respect plaintext auth not allowed without SSL/TLS

Issue #995 closed
Waldemar Hamm created an issue

Hi @Janos SUTO and thanks for creating piler.

Up till now I managed to get by with some guides on the net and your documentation but I’m struggling with a problem now that I don’t know how would be best to solve.

I want to import existing mails to piler via IMAP but my mail server expects connections to run on SSL/TLS. Even if I specify port 993 via -p 993 I still get this error message:

login failed, server reponse: * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
A1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

Is it somehow possible to force pilerimport to respect SSL/TLS for the authentication process? If it’s not a misconfiguration on my end I regard this as a bug, since the authentication parameters should be respected; at the very least if you’re forcing port 993.

Comments (11)

  1. Janos SUTO repo owner

    Hello Waldemar. I notice that you typed -p 993. -p is for the password, and -P is for the port. So if you specify -P 993, then pilerimport should connect using ssl.

    Anyway, if it doesn’t then I’d like to see an ngrep output, ie. run “ngrep -X port 993” when running pilerimport.

  2. Waldemar Hamm reporter

    Oh god, I’m so sorry I hope it wasnt a case sensitivity issue. I’m currently on the go, will test soon. In the meantime it would be great if starttls for auth wouldn't be ignored, what do you think?

  3. Janos SUTO repo owner

    I’m confused regarding “starttls for auth”. For me starttls is an smtp protocol stuff, and I’m not sure how it relates to any authentication.

  4. Waldemar Hamm reporter

    Thanks for bringing the case sensitivity issue to my attention, that was the culprit indeed! Pilerimport does its work now 🙂 .

    Well Opportunistic TLS is also a possible part of IMAP; it is then called “IMAP over (START)TLS”. My server here is saying in its error message that it messaged STARTTLS and disallowed authentication without encryption but pilerimport did it anyway (without proper specification of the port 993, though, which is encrypted explicitly and not opportunistically). It basically ignored STARTTLS altogether.

    I’m using RESTORE_OVER_IMAP with port 993. Would it behave the same way if I tried specifying 143 or would IMAP_SSL save the day then?

  5. Waldemar Hamm reporter

    I’m getting “Syntax Error ([bigger getting numbers]): No current point in closepath” when importing. A quick googling revealed that it’s a problem with PDF parsing. Should I be worried or is this just a problem for the attachment indexing and only bad for the search capability but nothing else?

    EDIT: I also saw these kinds of error spams: https://phabricator.wikimedia.org/T145772

  6. Janos SUTO repo owner

    Worst case scenario: you can’t search for the attachment content of that email. The email is still processed and archived.

  7. Waldemar Hamm reporter

    That’s ok, I can live with that 🙂. Well, the IMAP over TLS thing isn’t a major problem, just wanted to point it out. As long as there’s a surefire way to avoid unencrypted traffic I’ll just roll with it.

    I guess you can close this issue, thank you very much!

  9. Waldemar Hamm reporter

    Hi Janos, sorry for abusing this ticket to engage communication but I hope you could clear up a question (imho not worthy of an own issue) that’s still left for me with piler and I don’t know any other way of contacting you. (Also maybe will find this by searching if he/she has the same question.)

    Is there any downside to using RESTORE_OVER_IMAP over SMARTHOST? I find RESTORE_OVER_IMAP really comfortable, since I also use ENABLE_IMAP_AUTH. I’m just wondering if there are any (security) downsides over using SMARTHOST that I might have overlooked. Could you share any thoughts on this? Maybe also pros and cons of using RESTORE_OVER_IMAP over SMARTHOST?

    Thank you very much!

  10. Janos SUTO repo owner

    Well, for starters you may use the mailing list or check out piler -V output for my email.

    Anyway, I believe that restoring over imap ssl is just as fine as using smtp. The main difference is (besides the used protocol) is that imap restore puts all restored emails to a fixed imap folder (INBOX by default), while in case of smtp the restored email is processed by your existing rules (eg. sieve, if there’s any).

  11. Waldemar Hamm reporter

    Thanks, I will mail you in the future if I may have further questions. I’ve added myself to the mailing list.

    Thanks again for the explanation, this helps me get a better grasp on possible best practices with piler. Keep up the good work!

  12. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!