How to enable clear text login in IMAP (zcs 8.6)

Description:

Trying to login to IMAP on ZCS 8.6 resulted in an error:

# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 LOGIN user pass
NO cleartext logins disabled
* BYE Zimbra IMAP server terminating connection


Troubleshooting:

1. From the error we can conclude that clear-text logins are disabled. To check that through the AdminUI or CLI:

  • AdminUI: Home > Configure > Global Settings > IMAP > Enable Clear Text Login.
  • CLI:

a) to check if its enabled:

$ zmprov gacf | grep zimbraImapCleartextLoginEnabled

to modify it you can run:

$ zmprov mcf zimbraImapCleartextLoginEnabled TRUE


2. After changing the value to true, we try again but unfortunately the result is the same. To find out what might be wrong we first run the command:

# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
a1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+  MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST STARTTLS LOGINDISABLED
1 OK completed
* BYE Zimbra IMAP server terminating connection
Connection closed by foreign host.

In the above output, we run the telnet command, but this time we run the command a1 capability. Note that "a1" could be anything you like, its just a marker for the commands you run. As we look at the capabilities we see that the last two (STARTTLS,LOGINDISABLED) gives us a clue as what might be wrong.


3. We can go to the config files and see where those two are mentioned. We open the file /opt/zimbra/conf/attrs/zimbra-attrs.xml file and look inside:

<attr id="719" name="zimbraReverseProxyImapEnabledCapability" type="string" max="256" cardinality="multi" optionalIn="globalConfig,server"   flags="serverInherited" requiresRestart="nginxproxy" since="5.0.10">
 <globalConfigValue>IMAP4rev1</globalConfigValue>
 <globalConfigValue>ACL</globalConfigValue>
 <globalConfigValue>BINARY</globalConfigValue>
 <globalConfigValue>CATENATE</globalConfigValue>
 <globalConfigValue>CHILDREN</globalConfigValue>
 <globalConfigValue>CONDSTORE</globalConfigValue>
 <globalConfigValue>ENABLE</globalConfigValue>
 <globalConfigValue>ESEARCH</globalConfigValue>
 <globalConfigValue>ESORT</globalConfigValue>
 <globalConfigValue>I18NLEVEL=1</globalConfigValue>
 <globalConfigValue>ID</globalConfigValue>
 <globalConfigValue>IDLE</globalConfigValue>
 <globalConfigValue>LIST-EXTENDED</globalConfigValue>
 <globalConfigValue>LIST-STATUS</globalConfigValue>
 <globalConfigValue>LITERAL+</globalConfigValue>
 <globalConfigValue>MULTIAPPEND</globalConfigValue>
 <globalConfigValue>NAMESPACE</globalConfigValue>
 <globalConfigValue>QRESYNC</globalConfigValue>
 <globalConfigValue>QUOTA</globalConfigValue>
 <globalConfigValue>RIGHTS=ektx</globalConfigValue>
 <globalConfigValue>SASL-IR</globalConfigValue>
 <globalConfigValue>SEARCHRES</globalConfigValue>
 <globalConfigValue>SORT</globalConfigValue>
 <globalConfigValue>THREAD=ORDEREDSUBJECT</globalConfigValue>
 <globalConfigValue>UIDPLUS</globalConfigValue>
 <globalConfigValue>UNSELECT</globalConfigValue>
 <globalConfigValue>WITHIN</globalConfigValue>
 <globalConfigValue>XLIST</globalConfigValue>
 <desc>NGINX reverse proxy imap capabilities</desc>
</attr>


From this output we don't see the last two capabilities that we saw above. To check a little bit deeper, just for info, we can look at the code:


if (!isAuthenticated()) {

if (!startedTLS && !config.isCleartextLoginEnabled()) {

capability.append(" LOGINDISABLED");

}

if (!startedTLS && extensionEnabled("STARTTLS")) {

capability.append(" STARTTLS");


We see that the two capabilities are added when TLS is not enabled/started, which means that these two are conditional and there should be a way to change this behavior.

4. The next thing to check are all attributes connected to IMAP and see which one resembles closely the situation we are faced with. We run:

$ zmprov gacf | grep -i imap
$ zimbraAdminImapImportNumThreads: 20
$ zimbraImapBindOnStartup: TRUE
$ zimbraImapBindPort: 7143
$ zimbraImapCleartextLoginEnabled: TRUE
$ zimbraImapExposeVersionOnBanner: FALSE
$ zimbraImapMaxConnections: 200
$ more lines skipped ............
$ zimbraReverseProxyImapStartTlsMode: only

From the output we can see an attribute called zimbraReverseProxyImapStartTlsMode, and its value is only. Which tells us that anything else except the use of TLS is not allowed. Here is a description:

$ zmprov desc -a zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode
   on - on the plain POP/IMAP port, starttls is allowed off - no starttls
   is offered on plain port only - you have to use starttls before clear
   text login
              type : enum
             value : on,off,only
          callback :
         immutable : false
       cardinality : single
        requiredIn :
        optionalIn : globalConfig,server
             flags : serverInherited
          defaults : only
               min :
               max :
                id : 641
   requiresRestart : nginxproxy
             since : 5.0.5
   deprecatedSince :


We see the possible values are on, off and only. The following command will change the value of this attribute to off:

$ zmprov mcf zimbraReverseProxyImapStartTlsMode off


With the value changed, we run again the telnet command:


# telnet server.example.com 143
Trying 10.10.10.1...
Connected to server.example.com.
Escape character is '^]'.
* OK IMAP4 ready
1 capabilities
1 BAD invalid command
1 capability
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE  IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST AUTH=PLAIN
1 OK completed 


This shows us completely different picture. Now we are successfully logged in and can start using the server.

Jump to: navigation, search