IMAP/STARTTLS/port 143

Discussion:

Adam Gold

2014-01-20 03:46:45 UTC

I can't believe this question hasn't been answered already however I've
searched the archives and scoured the web with no luck. Anyway, I
really do apologise if I've missed something obvious.

I'm trying to do a simple retrieve from an IMAP server that's configured
to listen on port 143 and requires STARTTLS. My config file is as follows:

[retriever]
type = SimpleIMAPSSLRetriever
server = mailbox.joe.net
username = joe
password = joepassword
port = 143
mailboxes = ALL

[destination]
type = Maildir
path = ~/Mail/

I've tried running SimpleIMAPSSLRetriever with port 143 or port 993; and
then the same with SimpleIMAPRestriver. The error messages I get are:

1) Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
SimpleIMAPSSLRetriever: ***@mailbox.joe.net:143:
getmailrc: operation error (socket sslerror during connect ([Errno 1]
_ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol))
0 messages (0 bytes) retrieved, 0 skipped

2) a timeout with port 993:
getmail version 4.32.0
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
SimpleIMAPSSLRetriever:***@mailbox.joe.net:993:

3) and then if I run SimpleIMAPRetriever with port 143:
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
SimpleIMAPRetriever:***@mailbox.adamgold.net:143:
getmailrc: credential/login error ([PRIVACYREQUIRED] Plaintext
authentication disallowed on non-secure (SSL/TLS) connections.)
0 messages (0 bytes) retrieved, 0 skipped

I can make starttls connections via port 143 from different mail clients
as well as with other tools such as offlineimap. Obviously I don't want
to allow plaintext authentication so I'm trying to work out how I can
connect with getmail in the same way.

Again, sorry if I've missed something obvious but would anyone mind
pointing me in the right direction? Thanks.

v***@sbt.net.au

2014-01-20 04:14:08 UTC

Permalink

Post by Adam Gold
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
getmailrc: credential/login error ([PRIVACYREQUIRED] Plaintext
authentication disallowed on non-secure (SSL/TLS) connections.) 0 messages
(0 bytes) retrieved, 0 skipped

Adam,

it works for me without specifying any port like so:

$ getmail
getmail version 4.43.0
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
SimpleIMAPSSLRetriever:***@xyz.com@xyz.net:993:
msg 6/6 (2047 bytes) delivered
1 messages (2047 bytes) retrieved, 5 skipped
---
[retriever]
type = SimpleIMAPSSLRetriever
server = xyz.net
username = ***@xyz.com
password = abc123

BUT, fwiw, if I edit config and change to "type = SimpleIMAPRetriever"
it still works, (though, I didn't think my server allows non-ssl
connections):

$ getmail
getmail version 4.43.0
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
SimpleIMAPRetriever:***@xyz.com@xyz.net:143:
msg 1/6 (12841 bytes) delivered
...//...
msg 6/6 (2047 bytes) delivered
6 messages (43323 bytes) retrieved, 0 skipped

fwiw, IMAP log says: "secured" or "TLS"

Adam Gold

2014-01-20 10:17:29 UTC

Permalink

Post by v***@sbt.net.au

Adam,
$ getmail
getmail version 4.43.0
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
msg 6/6 (2047 bytes) delivered
1 messages (2047 bytes) retrieved, 5 skipped
---
[retriever]
type = SimpleIMAPSSLRetriever
server = xyz.net
password = abc123

Well that's interesting to know what it *can* work with such a
configuration.

Post by v***@sbt.net.au
BUT, fwiw, if I edit config and change to "type = SimpleIMAPRetriever"
it still works, (though, I didn't think my server allows non-ssl
$ getmail
getmail version 4.43.0
Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL
version 2.
msg 1/6 (12841 bytes) delivered
...//...
msg 6/6 (2047 bytes) delivered
6 messages (43323 bytes) retrieved, 0 skipped
fwiw, IMAP log says: "secured" or "TLS"

I tried with both the SimpleIMAPRestriver and SSL version omitting the
port number but still the same issue. The Dovecot log at the remote
sever says:
imap-login: Info: Aborted login (tried to use disallowed plaintext
auth): user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, session=<KqW7BmTwDwBfVQK3>

I notice it doesn't include a username, I'm assuming it's because the
call is rejected before any information can be exchanged.

One other thought: I noticed you're using version 4.43.0. I'm using
4.32.0. I'm wondering whether it's worth me uninstalling my package
manager version (debian) and downloading the lastest source...?

Anyway, many thanks for your comments.

Post by v***@sbt.net.au
---------------------------------------------------------------------

Adam Gold

2014-01-20 10:25:41 UTC

Permalink

Post by Adam Gold
One other thought: I noticed you're using version 4.43.0. I'm using
4.32.0. I'm wondering whether it's worth me uninstalling my package
manager version (debian) and downloading the lastest source...?

I uninstalled 4.32.0 and installed 4.43.0 from the tarball but still no
difference...

Post by Adam Gold

Post by v***@sbt.net.au
---------------------------------------------------------------------

v***@sbt.net.au

2014-01-20 10:55:22 UTC

Permalink

Post by Adam Gold
imap-login: Info: Aborted login (tried to use disallowed plaintext
auth): user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx,
session=<KqW7BmTwDwBfVQK3>

how is your dovecot configured, mine is:
# dovecot --version
2.0.21

# grep ssl dovecot.conf
ssl = required

# grep disable_plaintext_auth dovecot.conf
disable_plaintext_auth = yes

# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.
# Set disable_plaintext_auth=no AND ssl=yes to allow plain password
transmitted

with mail client, I normally use port 143 rather then getmail uses 993,
I was going to try getmail ssl over port 143 (though, ultimately, don't
think I really care what port it runs, anyhow)

v***@sbt.net.au

2014-01-21 00:24:01 UTC

Permalink

My guess is getmail ssl won't work over 143 as 143 requires starttls but
if you don't mind trying, it would be interesting to hear the results.

I think you are correct, see below:
whether i explicity specify port, or not, makes no difference here, in
correct config

(not that this matters to your issues, I'm somehow at loss why I;m getting
mail with non-SSL SimpleIMAPRetriever, (from a mobile mail client it fails
(as I was expecting, given dovecot setup));

my normal config pass:

$ getmail
..
SimpleIMAPSSLRetriever:***@myserver.com@myserver.com:993:
0 messages (0 bytes) retrieved, 6 skipped

port specified

$ getmail
..
SimpleIMAPSSLRetriever:***@myserver.com@myserver.com:143:
getmailrc: operation error (socket sslerror during connect ([Errno 1]
_ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol))
0 messages (0 bytes) retrieved, 0 skipped

removed SSL, port specified

$ getmail
..
SimpleIMAPRetriever:***@myserver.com@myserver.com:143:
msg 6/6 (1084 bytes) delivered
1 messages (1084 bytes) retrieved, 5 skipped

$ getmail
..
SimpleIMAPRetriever:***@myserver.com@myserver.com:993:
^C getmailrc: user aborted
0 messages (0 bytes) retrieved, 0 skipped

specified port

$ getmail
..
SimpleIMAPSSLRetriever:***@myserver.com@myserver.com:993:
0 messages (0 bytes) retrieved, 6 skipped
$

Charles Cazabon

2014-01-28 02:34:28 UTC

Permalink

Post by Adam Gold
I'm trying to do a simple retrieve from an IMAP server that's configured

That would be your problem; getmail doesn't do STARTTLS. It does plain IMAP4,
and IMAP4-over-SSL. STARTTLS support does not exist in the imap module of the
Python standard library, at least not in all the versions it would need to be
in for me to support it.

Use IMAP4-over-SSL if your server provides it.

Charles

--
-----------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
-----------------------------------------------------------------------