Difference between revisions of "Unable to log in to IMAP"

(Blanked the page)
 
Line 1: Line 1:
  
== Description: ==
 
 
 
Trying to login to '''IMAP''' on '''ZCS 8.6''' resulted in an error:
 
 
[root@server ~]# '''telnet''' server.example.com 143
 
Trying 10.10.10.1...
 
Connected to server.example.com.
 
Escape character is '^]'.
 
* OK IMAP4 ready
 
a1 LOGIN user pass
 
NO '''cleartext logins disabled'''
 
* BYE Zimbra IMAP server terminating connection
 
 
 
 
=== Troubleshooting: ===
 
 
 
'''1.''' From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:
 
* '''AdminUI''': Home '''>''' Configure '''>''' Global Settings '''>''' IMAP '''>''' Enable Clear Text Login.
 
* '''CLI''':
 
a) to check if its enabled:
 
 
$ zmprov gacf | grep zimbraImapCleartextLoginEnabled
 
 
to modify it you can run:
 
 
$ zmprov mcf zimbraImapCleartextLoginEnabled TRUE
 
 
 
'''2.''' After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:
 
 
[root@one ~]# telnet server.example.com 143
 
Trying 10.10.10.1...
 
Connected to server.example.com.
 
Escape character is '^]'.
 
* OK IMAP4 ready
 
'''a1 capability'''
 
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+  MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST '''STARTTLS''' '''LOGINDISABLED'''
 
1 OK completed
 
* BYE Zimbra IMAP server terminating connection
 
Connection closed by foreign host.
 
 
In the above output, we run the telnet command, but this time we run the command '''a1 capability'''. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see that the last two (STARTTLS,LOGINDISABLED) gives us a clue as what might be wrong.
 
 
 
'''3.''' We can go to the config files and see where those two are mentioned. We open the file ''/opt/zimbra/conf/attrs/zimbra-attrs.xml'' file and look inside:
 
 
<attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"  flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
 
  <globalConfigValue>IMAP4rev1</globalConfigValue>
 
  <globalConfigValue>ACL</globalConfigValue>
 
  <globalConfigValue>BINARY</globalConfigValue>
 
  <globalConfigValue>CATENATE</globalConfigValue>
 
  <globalConfigValue>CHILDREN</globalConfigValue>
 
  <globalConfigValue>CONDSTORE</globalConfigValue>
 
  <globalConfigValue>ENABLE</globalConfigValue>
 
  <globalConfigValue>ESEARCH</globalConfigValue>
 
  <globalConfigValue>ESORT</globalConfigValue>
 
  <globalConfigValue>I18NLEVEL=1</globalConfigValue>
 
  <globalConfigValue>ID</globalConfigValue>
 
  <globalConfigValue>IDLE</globalConfigValue>
 
  <globalConfigValue>LIST-EXTENDED</globalConfigValue>
 
  <globalConfigValue>LIST-STATUS</globalConfigValue>
 
  <globalConfigValue>LITERAL+</globalConfigValue>
 
  <globalConfigValue>MULTIAPPEND</globalConfigValue>
 
  <globalConfigValue>NAMESPACE</globalConfigValue>
 
  <globalConfigValue>QRESYNC</globalConfigValue>
 
  <globalConfigValue>QUOTA</globalConfigValue>
 
  <globalConfigValue>RIGHTS=ektx</globalConfigValue>
 
  <globalConfigValue>SASL-IR</globalConfigValue>
 
  <globalConfigValue>SEARCHRES</globalConfigValue>
 
  <globalConfigValue>SORT</globalConfigValue>
 
  <globalConfigValue>THREAD=ORDEREDSUBJECT</globalConfigValue>
 
  <globalConfigValue>UIDPLUS</globalConfigValue>
 
  <globalConfigValue>UNSELECT</globalConfigValue>
 
  <globalConfigValue>WITHIN</globalConfigValue>
 
  <globalConfigValue>XLIST</globalConfigValue>
 
  <desc>NGINX reverse proxy imap capabilities</desc>
 
</attr>
 
 
 
 
From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:
 
 
if (!isAuthenticated()) {
 
      if (!startedTLS && !config.isCleartextLoginEnabled()) {
 
          capability.append(" LOGINDISABLED");
 
      }
 
      if (!startedTLS && extensionEnabled("STARTTLS")) {
 
          capability.append(" STARTTLS");
 
 
We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.
 
 
'''4.''' The next thing to check are all attributes connected to IMAP and see which one resembles closely the situation we are faced with. We run:
 
 
$ zmprov gacf | grep -i imap
 
$ zimbraAdminImapImportNumThreads: 20
 
$ zimbraImapBindOnStartup: TRUE
 
$ zimbraImapBindPort: 7143
 
$ zimbraImapCleartextLoginEnabled: TRUE
 
$ zimbraImapExposeVersionOnBanner: FALSE
 
$ zimbraImapMaxConnections: 200
 
$ more lines skipped ............
 
$ zimbraReverseProxyImapStartTlsMode: only
 
 
From the output we can see an attribute called '''zimbraReverseProxyImapStartTlsMode''', and its value is '''only'''. Which tells us that anything else except the use of TLS is not allowed. Here is a description:
 
 
$ zmprov desc -a zimbraReverseProxyImapStartTlsMode
 
zimbraReverseProxyImapStartTlsMode
 
    on - on the plain POP/IMAP port, starttls is allowed off - no starttls
 
    is offered on plain port only - you have to use starttls before clear
 
    text login
 
              type : enum
 
              value : '''on''','''off''','''only'''
 
          callback :
 
          immutable : false
 
        cardinality : single
 
        requiredIn :
 
        optionalIn : globalConfig,server
 
              flags : serverInherited
 
          defaults : only
 
                min :
 
                max :
 
                id : 641
 
    requiresRestart : nginxproxy
 
              since : 5.0.5
 
    deprecatedSince :
 
 
 
We see the possible values are ''on'', ''off'' and ''only''. The following command will change the value of this attribute to off:
 
 
$ zmprov mcf zimbraReverseProxyImapStartTlsMode off
 
 
 
With the value changed, we run again the telnet command:
 
 
 
[root@one conf]# telnet server.example.com 143
 
Trying 10.10.10.1...
 
Connected to server.example.com.
 
Escape character is '^]'.
 
* OK IMAP4 ready
 
1 capabilities
 
1 BAD invalid command
 
1 capability
 
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE  IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST AUTH=PLAIN
 
1 OK completed
 
 
 
This shows us completely different picture. Now we are successfully logged in and can start using the server.
 

Latest revision as of 11:03, 21 January 2015

Jump to: navigation, search