How to enable clear text login in IMAP (zcs 8.6): Difference between revisions

(Created page with " == Description: == Trying to login to '''IMAP''' on '''ZCS 8.6''' resulted in an error: [root@server ~]# '''telnet''' server.example.com 143 Trying 10.10.10.1... Conne...")
 
No edit summary
 
Line 5: Line 5:
Trying to login to '''IMAP''' on '''ZCS 8.6''' resulted in an error:
Trying to login to '''IMAP''' on '''ZCS 8.6''' resulted in an error:


  [root@server ~]# '''telnet''' server.example.com 143
  # '''telnet''' server.example.com 143
  Trying 10.10.10.1...
  Trying 10.10.10.1...
  Connected to server.example.com.
  Connected to server.example.com.
Line 24: Line 24:
a) to check if its enabled:  
a) to check if its enabled:  


  $ zmprov gacf | grep zimbraImapCleartextLoginEnabled
  <pre style="color: green">$ zmprov gacf | grep zimbraImapCleartextLoginEnabled</pre>


to modify it you can run:  
to modify it you can run:  


  $ zmprov mcf zimbraImapCleartextLoginEnabled TRUE
  <pre style="color: green">$ zmprov mcf zimbraImapCleartextLoginEnabled TRUE</pre>




'''2.''' After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:  
'''2.''' After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:  


  [root@one ~]# telnet server.example.com 143
  '''# telnet server.example.com 143'''
  Trying 10.10.10.1...
  Trying 10.10.10.1...
  Connected to server.example.com.
  Connected to server.example.com.
Line 84: Line 84:
From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:  
From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:  


if (!isAuthenticated()) {
 
      if (!startedTLS && !config.isCleartextLoginEnabled()) {
<code>if (!isAuthenticated()) {</code>
          capability.append(" LOGINDISABLED");
 
      }
<code>if (!startedTLS && !config.isCleartextLoginEnabled()) {</code>
      if (!startedTLS && extensionEnabled("STARTTLS")) {
 
          capability.append(" STARTTLS");  
<code>capability.append(" LOGINDISABLED");</code>
 
<code>}</code>
 
<code>if (!startedTLS && extensionEnabled("STARTTLS")) {</code>
 
<code>capability.append(" STARTTLS");</code>
 
 


We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.  
We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.  
Line 107: Line 115:
From the output we can see an attribute called '''zimbraReverseProxyImapStartTlsMode''', and its value is '''only'''. Which tells us that anything else except the use of TLS is not allowed. Here is a description:  
From the output we can see an attribute called '''zimbraReverseProxyImapStartTlsMode''', and its value is '''only'''. Which tells us that anything else except the use of TLS is not allowed. Here is a description:  


  $ zmprov desc -a zimbraReverseProxyImapStartTlsMode
  '''$ zmprov desc -a zimbraReverseProxyImapStartTlsMode'''
  zimbraReverseProxyImapStartTlsMode
  zimbraReverseProxyImapStartTlsMode
     on - on the plain POP/IMAP port, starttls is allowed off - no starttls
     on - on the plain POP/IMAP port, starttls is allowed off - no starttls
Line 131: Line 139:
We see the possible values are ''on'', ''off'' and ''only''. The following command will change the value of this attribute to off:  
We see the possible values are ''on'', ''off'' and ''only''. The following command will change the value of this attribute to off:  


  $ zmprov mcf zimbraReverseProxyImapStartTlsMode off
  <pre style="color: green">$ zmprov mcf zimbraReverseProxyImapStartTlsMode off</pre>




Line 137: Line 145:




  [root@one conf]# telnet server.example.com 143
  '''# telnet server.example.com 143'''
  Trying 10.10.10.1...
  Trying 10.10.10.1...
  Connected to server.example.com.
  Connected to server.example.com.

Latest revision as of 14:03, 27 January 2015

Description:

Trying to login to IMAP on ZCS 8.6 resulted in an error:

# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 LOGIN user pass
NO cleartext logins disabled
* BYE Zimbra IMAP server terminating connection


Troubleshooting:

1. From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:

  • AdminUI: Home > Configure > Global Settings > IMAP > Enable Clear Text Login.
  • CLI:

a) to check if its enabled:

$ zmprov gacf | grep zimbraImapCleartextLoginEnabled

to modify it you can run:

$ zmprov mcf zimbraImapCleartextLoginEnabled TRUE


2. After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:

# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+  MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST STARTTLS LOGINDISABLED
1 OK completed
* BYE Zimbra IMAP server terminating connection
Connection closed by foreign host.

In the above output, we run the telnet command, but this time we run the command a1 capability. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see that the last two (STARTTLS,LOGINDISABLED) gives us a clue as what might be wrong.


3. We can go to the config files and see where those two are mentioned. We open the file /opt/zimbra/conf/attrs/zimbra-attrs.xml file and look inside:

<attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"   flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
 <globalConfigValue>IMAP4rev1</globalConfigValue>
 <globalConfigValue>ACL</globalConfigValue>
 <globalConfigValue>BINARY</globalConfigValue>
 <globalConfigValue>CATENATE</globalConfigValue>
 <globalConfigValue>CHILDREN</globalConfigValue>
 <globalConfigValue>CONDSTORE</globalConfigValue>
 <globalConfigValue>ENABLE</globalConfigValue>
 <globalConfigValue>ESEARCH</globalConfigValue>
 <globalConfigValue>ESORT</globalConfigValue>
 <globalConfigValue>I18NLEVEL=1</globalConfigValue>
 <globalConfigValue>ID</globalConfigValue>
 <globalConfigValue>IDLE</globalConfigValue>
 <globalConfigValue>LIST-EXTENDED</globalConfigValue>
 <globalConfigValue>LIST-STATUS</globalConfigValue>
 <globalConfigValue>LITERAL+</globalConfigValue>
 <globalConfigValue>MULTIAPPEND</globalConfigValue>
 <globalConfigValue>NAMESPACE</globalConfigValue>
 <globalConfigValue>QRESYNC</globalConfigValue>
 <globalConfigValue>QUOTA</globalConfigValue>
 <globalConfigValue>RIGHTS=ektx</globalConfigValue>
 <globalConfigValue>SASL-IR</globalConfigValue>
 <globalConfigValue>SEARCHRES</globalConfigValue>
 <globalConfigValue>SORT</globalConfigValue>
 <globalConfigValue>THREAD=ORDEREDSUBJECT</globalConfigValue>
 <globalConfigValue>UIDPLUS</globalConfigValue>
 <globalConfigValue>UNSELECT</globalConfigValue>
 <globalConfigValue>WITHIN</globalConfigValue>
 <globalConfigValue>XLIST</globalConfigValue>
 <desc>NGINX reverse proxy imap capabilities</desc>
</attr>


From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:


if (!isAuthenticated()) {

if (!startedTLS && !config.isCleartextLoginEnabled()) {

capability.append(" LOGINDISABLED");

}

if (!startedTLS && extensionEnabled("STARTTLS")) {

capability.append(" STARTTLS");


We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.

4. The next thing to check are all attributes connected to IMAP and see which one resembles closely the situation we are faced with. We run:

$ zmprov gacf | grep -i imap
$ zimbraAdminImapImportNumThreads: 20
$ zimbraImapBindOnStartup: TRUE
$ zimbraImapBindPort: 7143
$ zimbraImapCleartextLoginEnabled: TRUE
$ zimbraImapExposeVersionOnBanner: FALSE
$ zimbraImapMaxConnections: 200
$ more lines skipped ............
$ zimbraReverseProxyImapStartTlsMode: only

From the output we can see an attribute called zimbraReverseProxyImapStartTlsMode, and its value is only. Which tells us that anything else except the use of TLS is not allowed. Here is a description:

$ zmprov desc -a zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode
   on - on the plain POP/IMAP port, starttls is allowed off - no starttls
   is offered on plain port only - you have to use starttls before clear
   text login
              type : enum
             value : on,off,only
          callback :
         immutable : false
       cardinality : single
        requiredIn :
        optionalIn : globalConfig,server
             flags : serverInherited
          defaults : only
               min :
               max :
                id : 641
   requiresRestart : nginxproxy
             since : 5.0.5
   deprecatedSince :


We see the possible values are on, off and only. The following command will change the value of this attribute to off:

$ zmprov mcf zimbraReverseProxyImapStartTlsMode off


With the value changed, we run again the telnet command:


# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
1 capabilities
1 BAD invalid command
1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE  IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST AUTH=PLAIN
1 OK completed 


This shows us completely different picture. Now we are successfully logged in and can start using the server.

Jump to: navigation, search