Difference between revisions of "Unable to log in to IMAP"

(Description:)
Line 3: Line 3:
 
   
 
   
  
Trying to login to IMAP on ZCS 8.6 resulted in an error:
+
Trying to login to '''IMAP''' on '''ZCS 8.6''' resulted in an error:
  
 
  [root@server ~]# '''telnet''' server.example.com 143
 
  [root@server ~]# '''telnet''' server.example.com 143
Line 20: Line 20:
  
 
1. From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:
 
1. From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:
* AdminUI: Home > Configure > Global Settings > IMAP > Enable Clear Text Login.  
+
* '''AdminUI''': Home '''>''' Configure '''>''' Global Settings '''>''' IMAP '''>''' Enable Clear Text Login.  
* CLI:  
+
* '''CLI''':  
 
a) to check if its enabled:  
 
a) to check if its enabled:  
  
Line 44: Line 44:
 
  Connection closed by foreign host.
 
  Connection closed by foreign host.
  
In the above output, we run the telnet command, but this time we run the command ''a1 capability''. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see at the end two of them (STARTTLS,LOGINDISABLED) that gives us a clue as what might be wrong. The next thing to do is to go the config files and see where those two are mentioned. We open the file ''/opt/zimbra/conf/attrs/zimbra-attrs.xml'' file and look inside:  
+
In the above output, we run the telnet command, but this time we run the command '''a1 capability'''. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see that the last two (STARTTLS,LOGINDISABLED) gives us a clue as what might be wrong. The next thing to do is to go to the config files and see where those two are mentioned. We open the file ''/opt/zimbra/conf/attrs/zimbra-attrs.xml'' file and look inside:  
  
 
  <attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"  flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
 
  <attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"  flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
Line 100: Line 100:
 
  $ zimbraImapMaxConnections: 200
 
  $ zimbraImapMaxConnections: 200
 
  $ more lines skipped ............
 
  $ more lines skipped ............
 
+
$ zimbraReverseProxyImapStartTlsMode: only
  
 
From the output we can see an attribute called '''zimbraReverseProxyImapStartTlsMode''', and its value is '''only'''. Which tells us that anything else except the use of TLS is not allowed. Here is a description:  
 
From the output we can see an attribute called '''zimbraReverseProxyImapStartTlsMode''', and its value is '''only'''. Which tells us that anything else except the use of TLS is not allowed. Here is a description:  
Line 109: Line 109:
 
     is offered on plain port only - you have to use starttls before clear
 
     is offered on plain port only - you have to use starttls before clear
 
     text login
 
     text login
 
 
               type : enum
 
               type : enum
 
               value : '''on''','''off''','''only'''
 
               value : '''on''','''off''','''only'''

Revision as of 16:42, 20 January 2015

Description:

Trying to login to IMAP on ZCS 8.6 resulted in an error:

[root@server ~]# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 LOGIN user pass
NO cleartext logins disabled
* BYE Zimbra IMAP server terminating connection


Troubleshooting:

1. From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:

  • AdminUI: Home > Configure > Global Settings > IMAP > Enable Clear Text Login.
  • CLI:

a) to check if its enabled:

$ zmprov gacf | grep zimbraImapCleartextLoginEnabled

to modify it you can run:

$ zmprov mcf zimbraImapCleartextLoginEnabled TRUE


After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:

[root@one ~]# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+  MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST STARTTLS LOGINDISABLED
1 OK completed
* BYE Zimbra IMAP server terminating connection
Connection closed by foreign host.

In the above output, we run the telnet command, but this time we run the command a1 capability. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see that the last two (STARTTLS,LOGINDISABLED) gives us a clue as what might be wrong. The next thing to do is to go to the config files and see where those two are mentioned. We open the file /opt/zimbra/conf/attrs/zimbra-attrs.xml file and look inside:

<attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"   flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
 <globalConfigValue>IMAP4rev1</globalConfigValue>
 <globalConfigValue>ACL</globalConfigValue>
 <globalConfigValue>BINARY</globalConfigValue>
 <globalConfigValue>CATENATE</globalConfigValue>
 <globalConfigValue>CHILDREN</globalConfigValue>
 <globalConfigValue>CONDSTORE</globalConfigValue>
 <globalConfigValue>ENABLE</globalConfigValue>
 <globalConfigValue>ESEARCH</globalConfigValue>
 <globalConfigValue>ESORT</globalConfigValue>
 <globalConfigValue>I18NLEVEL=1</globalConfigValue>
 <globalConfigValue>ID</globalConfigValue>
 <globalConfigValue>IDLE</globalConfigValue>
 <globalConfigValue>LIST-EXTENDED</globalConfigValue>
 <globalConfigValue>LIST-STATUS</globalConfigValue>
 <globalConfigValue>LITERAL+</globalConfigValue>
 <globalConfigValue>MULTIAPPEND</globalConfigValue>
 <globalConfigValue>NAMESPACE</globalConfigValue>
 <globalConfigValue>QRESYNC</globalConfigValue>
 <globalConfigValue>QUOTA</globalConfigValue>
 <globalConfigValue>RIGHTS=ektx</globalConfigValue>
 <globalConfigValue>SASL-IR</globalConfigValue>
 <globalConfigValue>SEARCHRES</globalConfigValue>
 <globalConfigValue>SORT</globalConfigValue>
 <globalConfigValue>THREAD=ORDEREDSUBJECT</globalConfigValue>
 <globalConfigValue>UIDPLUS</globalConfigValue>
 <globalConfigValue>UNSELECT</globalConfigValue>
 <globalConfigValue>WITHIN</globalConfigValue>
 <globalConfigValue>XLIST</globalConfigValue>
 <desc>NGINX reverse proxy imap capabilities</desc>
</attr>


From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:

if (!isAuthenticated()) {
      if (!startedTLS && !config.isCleartextLoginEnabled()) {
          capability.append(" LOGINDISABLED");
      }
      if (!startedTLS && extensionEnabled("STARTTLS")) {
          capability.append(" STARTTLS"); 

We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.

The next thing to check are all attributes connected to IMAP and see which one resembles closely the situation we are faced with. We run:

$ zmprov gacf | grep -i imap
$ zimbraAdminImapImportNumThreads: 20
$ zimbraImapBindOnStartup: TRUE
$ zimbraImapBindPort: 7143
$ zimbraImapCleartextLoginEnabled: TRUE
$ zimbraImapExposeVersionOnBanner: FALSE
$ zimbraImapMaxConnections: 200
$ more lines skipped ............
$ zimbraReverseProxyImapStartTlsMode: only

From the output we can see an attribute called zimbraReverseProxyImapStartTlsMode, and its value is only. Which tells us that anything else except the use of TLS is not allowed. Here is a description:

$ zmprov desc -a zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode
   on - on the plain POP/IMAP port, starttls is allowed off - no starttls
   is offered on plain port only - you have to use starttls before clear
   text login
              type : enum
             value : on,off,only
          callback :
         immutable : false
       cardinality : single
        requiredIn :
        optionalIn : globalConfig,server
             flags : serverInherited
          defaults : only
               min :
               max :
                id : 641
   requiresRestart : nginxproxy
             since : 5.0.5
   deprecatedSince :


We see the possible values are on, off and only. The following command will change the value of this attribute to off:

$ zmprov mcf zimbraReverseProxyImapStartTlsMode off


With the value changed, we run again the telnet command:


[root@one conf]# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
1 capabilities
1 BAD invalid command
1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE  IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST AUTH=PLAIN
1 OK completed 


This shows us completely different picture. Now we are successfully logged in and can start using the server.

Jump to: navigation, search