mirror of
https://github.com/imapsync/imapsync.git
synced 2024-11-16 15:52:47 +01:00
301 lines
13 KiB
Plaintext
301 lines
13 KiB
Plaintext
#!/bin/cat
|
|
$Id: FAQ.OnlineUI.txt,v 1.36 2022/09/14 11:18:05 gilles Exp gilles $
|
|
|
|
This document is also available online at
|
|
https://imapsync.lamiral.info/FAQ.d/
|
|
https://imapsync.lamiral.info/FAQ.d/FAQ.OnlineUI.txt
|
|
|
|
=====================================================================
|
|
Imapsync tips about the online visual user interfaces
|
|
https://imapsync.lamiral.info/X/
|
|
=====================================================================
|
|
|
|
Questions answered in this FAQ are:
|
|
|
|
Q. Can I launch several imap synchronizations on the visual
|
|
user interface /X?
|
|
|
|
Q. How secure is the online visual user interface /X?
|
|
|
|
Q. Does the online service store any sensitive information
|
|
like my passwords?
|
|
|
|
Q. I want to switch from the visual interface /X to the
|
|
imapsync command line or to the script examples
|
|
https://imapsync.lamiral.info/#DOC_BASIC
|
|
What should I know?
|
|
|
|
Q. Shall I have issues when the browser times out?
|
|
What happens if the browser connection is closed for whatever reason?
|
|
|
|
Q. Shall I have issues when the webserver times out? What happens
|
|
if the web server closes the connection for whatever reason?
|
|
|
|
Q. The sync stalls at the beginning, just after a line like:
|
|
"Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
|
|
What is the problem?
|
|
|
|
Q. The synchronization fails with the error message like:
|
|
Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED
|
|
|
|
Now the questions again with their answers.
|
|
|
|
=====================================================================
|
|
Q. Can I launch several imap synchronizations on the visual
|
|
user interface /X?
|
|
|
|
A. Yes. Open several tabs/windows on your browser and fill each one
|
|
with different credentials.
|
|
|
|
=====================================================================
|
|
Q. How secure is the online visual user interface /X?
|
|
|
|
A0. Well, I don't know if asking the provider whether his online
|
|
service is secure or not would be of any interest.
|
|
Let's do it anyway, you'll be the judge.
|
|
|
|
A1. Some figures
|
|
|
|
Date of this report: 24 December 2021. Happy Christmas!
|
|
|
|
The online imapsync service /X started 9 January 2017,
|
|
5 years ago (1810 days of service).
|
|
|
|
On average, /X has 51 users per day, each user lunches on average
|
|
6 account migrations, from just 1 launch to many (hundreds).
|
|
|
|
The total volume /X transferred so far is around 240 TiB coming
|
|
from nearly 520 000 imap account migrations and 810 million email messages.
|
|
|
|
A2. Pros & Cons
|
|
|
|
The online imapsync service /X runs on HTTPS only, with a letsencrypt
|
|
certificate, an up to date certificate overall rated "A+" at
|
|
https://www.ssllabs.com/ssltest/analyze.html?d=imapsync.lamiral.info
|
|
|
|
Because of the HTTPS usage, what the users enter in their browser, the
|
|
imap logins and passwords, can't be eavesdropped on the network.
|
|
|
|
Imapsync itself takes care of encryption for the imap sessions, if
|
|
possible. First, imapsync tries to use SSL on port 993, then TLS on
|
|
port 143 if the servers announce TLS, then no encryption at all.
|
|
Concerning encryption, what is done with the source imap server host1
|
|
is independent of what is done with the destination imap server host2.
|
|
|
|
On the date of 24 December 2021, there is no security problem detected
|
|
or reported to me (Gilles LAMIRAL), so far.
|
|
|
|
Concerning the Log4j threats, the imapsync server doesn't use Log4j at
|
|
all, so it should be safe about this issue.
|
|
|
|
Feel free to attack the service and feel free to report any hole
|
|
encountered. Have in mind that I can watch what you do from the
|
|
server-side, and then take measures if the service suffers from your
|
|
acts. Drop me a note before will be fair play and I will let you act
|
|
as harsh as you can.
|
|
|
|
As the owner of the service, it could have been 520 000 pairs of
|
|
credentials collected and nearly 240 terabytes of email messages.
|
|
That's massive. I haven't kept them but I can't prove I haven't. It's
|
|
just trust, like nearly every online service in the universe.
|
|
|
|
Concerning imapsync transfers, the imap server certificates are not
|
|
checked for authenticity by default because too many imap servers are
|
|
crappy configured regarding their certified certificates.
|
|
|
|
This default behavior is chosen like this because users of /X
|
|
want their emails transferred, instead of being not transferred
|
|
because of an incompetent imap server sysadmin.
|
|
|
|
I admit that this part, checking imap ssl/tls certificates,
|
|
could be improved from my side by including well known
|
|
certificates directly in imapsync.
|
|
|
|
If an imap server doesn't honor ssl nor tls, then logins, passwords
|
|
and everything will go clear text during the imap transfers. That's
|
|
not good at all! But what "comforts" me is that if an imap server does
|
|
only clear text transfers, then it's also true for all the imap
|
|
sessions the account owner encounters, imapsync is just one of them;
|
|
the imap servers are then always unsecured for any imap software
|
|
client.
|
|
|
|
Last point, who could be sure that no cracker cracked the online hosts
|
|
and that he isn't currently sniffing the credentials?
|
|
|
|
No one! I'm not sure myself, even if I do take care of that
|
|
possibility. So changing the imap accounts passwords after
|
|
the sync is a safe and recommended practice! You can even
|
|
change the password just after imapsync has started its job,
|
|
just after a successful login. This way you know the previously
|
|
given password is no longer working just after imapsync has
|
|
started its job.
|
|
|
|
=====================================================================
|
|
Q. Does the online service store any sensitive information
|
|
like my passwords?
|
|
|
|
No.
|
|
|
|
The online passwords are kept by your browser. The goal is that the
|
|
next time you run a sync from your browser, all the parameters are
|
|
already there without having to re-enter them. The save is done when
|
|
you click on the "Sync or resync" green button. So, if you don't want
|
|
your browser to keep your password, enter a wrong one or empty the
|
|
password field and click on the "Sync or resync" green button, the
|
|
wrong password will be saved in your browser and no sync will be done,
|
|
since a correct login is mandatory to do anything on your mailboxes.
|
|
|
|
=====================================================================
|
|
Q. I want to switch from the visual interface /X to the
|
|
imapsync command line or to the script examples
|
|
https://imapsync.lamiral.info/#DOC_BASIC
|
|
What should I know?
|
|
|
|
A. Let's do some ascii art.
|
|
The visual interface looks roughly like this, for the textfields input part:
|
|
|
|
+------------------------------------------+------------------------------------------+
|
|
| IMAP source Mailbox | IMAP destination Mailbox |
|
|
| | |
|
|
| Login (usually an email address) | Login (usually an email address) |
|
|
| | |
|
|
| test1 | test2 |
|
|
| | |
|
|
| Password | Password |
|
|
| | |
|
|
| secret1 | secret2 |
|
|
| | |
|
|
| IMAP Server hostname (or its IP address) | IMAP Server hostname (or its IP address) |
|
|
| | |
|
|
| test1.lamiral.info | test2.lamiral.info |
|
|
| | |
|
|
+------------------------------------------+------------------------------------------+
|
|
|
|
Notice the 6 examples values I put in the previous "picture":
|
|
|
|
* test1
|
|
* secret1
|
|
* test1.lamiral.info
|
|
|
|
* test2
|
|
* secret2
|
|
* test2.lamiral.info
|
|
|
|
|
|
The corresponding imapsync command line on Windows is:
|
|
|
|
imapsync.exe --host1 "test1.lamiral.info" --user1 "test1" --password1 "secret1" ^
|
|
--host2 "test2.lamiral.info" --user2 "test2" --password2 "secret2"
|
|
|
|
The order of the parameters is whatever you want as long as you respect each pair
|
|
like: --optionname "value"
|
|
|
|
There is no need to type this in a command prompt window, just use the example script
|
|
https://imapsync.lamiral.info/examples/imapsync_example.bat
|
|
|
|
|
|
The corresponding imapsync command line on Linux is:
|
|
|
|
imapsync --host1 "test1.lamiral.info" --user1 "test1" --password1 "secret1" \
|
|
--host2 "test2.lamiral.info" --user2 "test2" --password2 "secret2"
|
|
|
|
There is no need to type this in a command prompt window, just use the example script
|
|
https://imapsync.lamiral.info/examples/imapsync_example.sh
|
|
|
|
=====================================================================
|
|
Q. Shall I have issues with the browser timing out?
|
|
What happens if the browser connection is closed for whatever reason?
|
|
|
|
A. A browser connection closed closes also the imapsync process,
|
|
ie, the sync is ended right away.
|
|
|
|
Further comments on this behavior.
|
|
|
|
When using the /X interface there are three connections.
|
|
One connection is the Browser/WebServer connection,
|
|
the two other connections are the WebServer/ImapServers
|
|
connections (imapsync stuff).
|
|
|
|
If the Browser/WebServer connection timeouts or ends,
|
|
the imapsync sync is also ended immediately by the remote
|
|
Apache HTTPS server. Technically, Apache sends a TERM signal
|
|
to the imapsync process, then wait some seconds before
|
|
sending a KILL signal if the imapsync process is still alive.
|
|
|
|
You can relaunch the sync with the "Sync!" button, at any time.
|
|
If the "Sync!" button is gray/inactive then just reload
|
|
the page (F5 or similar), and reenter the credentials.
|
|
|
|
If the interface tells you that the sync is already going on,
|
|
it may be that the sync is running from another browser or place.
|
|
You can stop this sync with the "Abort!" button from any /X
|
|
tab/window, even from another browser or place. To be able
|
|
to abort with success, you have to give the same account
|
|
parameters, same credentials, or imapsync will ignore the demand.
|
|
|
|
In other words, you can try safely to launch several parallel
|
|
runs between the same mailboxes. Open a new tab/windows with /X,
|
|
and start the same sync. It's safe, the /X page will say that
|
|
there is already one sync running and it will present
|
|
the logfile running the sync like a "tail -f" command (isn't that magic?).
|
|
|
|
=====================================================================
|
|
Q. Shall I have issues when the webserver times out? What happens
|
|
if the web server closes the connection for whatever reason?
|
|
|
|
A. If the webserver closes the connection then usually it also
|
|
kills the imapsync process and the imap connections as well.
|
|
|
|
The current webserver timeout at
|
|
https://imapsync.lamiral.info/X/
|
|
is 3600 secondes, one hour.
|
|
|
|
=====================================================================
|
|
Q. The sync stalls at the beginning, just after a line like:
|
|
"Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
|
|
What is the problem?
|
|
|
|
A. I've seen this issue on /X with the imap server
|
|
CommuniGate Pro IMAP Server 6.0.11
|
|
|
|
The issue looks related to special characters in the password.
|
|
Solution for now: change the password, keep only standard (ASCII)
|
|
alphanumeric characters ABC-YZ abc-yz 012-89.
|
|
|
|
=====================================================================
|
|
Q. The synchronization fails with the error message like:
|
|
Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED
|
|
|
|
A. The message "[ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED" comes directly
|
|
from the IMAP server at 10.1.161.155
|
|
|
|
It looks like that the 10.1.161.155 imap server filters incoming
|
|
connexions based on their IPS. In that case, here are the current
|
|
IPs of the imapsync online service (September 2022):
|
|
|
|
ks5.lamiral.info has address 91.121.221.224
|
|
ks5ipv6.lamiral.info has IPv6 address 2001:41d0:2:84e0::1
|
|
ks6.lamiral.info has address 5.39.87.81
|
|
ks6ipv6.lamiral.info has IPv6 address 2001:41d0:8:9951::1
|
|
ks7.lamiral.info has address 5.135.177.225
|
|
ks7ipv6.lamiral.info has IPv6 address 2001:41d0:8:b8e1::1
|
|
i050.lamiral.info has address 213.32.72.139
|
|
i050ipv6.lamiral.info has IPv6 address 2001:41d0:302:1000::155d
|
|
vp3.lamiral.info has address 51.178.81.27
|
|
vp3ipv6.lamiral.info has IPv6 address 2001:41d0:404:200::4d81
|
|
vp4.lamiral.info has address 51.38.34.201
|
|
vp4ipv6.lamiral.info has IPv6 address 2001:41d0:305:2100::4c46
|
|
|
|
The imapsync online service may contact your imap server with one
|
|
or more of those IP addresses.
|
|
|
|
CPhulk of Cpannel has a buildin country block that can cause this behavior.
|
|
Later on you may encountered issues with maximum sessions per ip.
|
|
You can change that within cPannel.
|
|
|
|
https://support.cpanel.net/hc/en-us/articles/4406663082519-What-is-cPHulk-
|
|
https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/
|
|
|
|
=====================================================================
|
|
=====================================================================
|