Dear all,
is it possible to deactivate the TLS verification?
I want to synchronize mails from an internal mail server which has no valid certificate.
With Outlook IMAP access to this server works well but with impasync I get the error “Verify the TLS encryption, IMAPS or STARTTLS”.
Thanks
Kind regards
I can’t find a way to customize a UI task to disable cert verification, see Github. Maybe it’s possible to edit the file but at least updates will overwrite it.
But it’s possible to use custom scripts which means you can add cronjobs and customize the imapsync command to not verify the cert.
From Imapsync Security FAQ:
to set SSL_verify_mode to SSL_VERIFY_PEER on host1
and SSL_verify_mode to SSL_VERIFY_NONE on host2
imapsync ... --ssl1 --ssl2 \
--sslargs1 SSL_verify_mode=1 \
--sslargs2 SSL_verify_mode=0
I never tested it but --sslargs2 SSL_verify_mode=0
should be enough to disable verification.
@stephdl do you see another way how to disable SSL verification?
Thanks for the information.
Sorry, but what means NFR ?
I do not know it.
Does it mean non-functional requirement?
New feature request
could you please test the synchronization manually with the settings, I do not understand, the lead developer stands that verification is disabled
======================================================================
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
How can I change this back to the more secure SSL_VERIFY_PEER?
R. After imapsync 1.673,
to set SSL_verify_mode to SSL_VERIFY_PEER on host1
and SSL_verify_mode to SSL_VERIFY_NONE on host2
imapsync ... --ssl1 --ssl2 \
--sslargs1 SSL_verify_mode=1 \
--sslargs2 SSL_verify_mode=0
See "perldoc IO::Socket::SSL" for all possibilities, also at
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL
It might be possible you need an extra option
--sslargs1 SSL_ca_file=/etc/ssl/certs/ca-certificates.crt
to help the ssl software verifying the server certificate.
The file ca-certificates.crt may be elsewhere on your system, even
named differently.
The imap server certificates are not checked for authenticity
by imapsync by default because too many imap servers are crappy
configured regarding certified certificates.
This default behavior is chosen like this because users
want their emails transferred, instead of being not transferred
because of an incompetent imap server sysadmin.
I admit that this part, checking imap ssl/tls certificates,
could be improved from my side by including well known
certificates directly in imapsync.
Drop me a note to encourage me, I'm lazy.
https://imapsync.lamiral.info/FAQ.d/FAQ.Security.txt
the alpine version should be good :-?
https://pkgs.alpinelinux.org/packages?name=imapsync&branch=v3.19&repo=&arch=&maintainer=
just tested on a local nethserver 8 on my network with the external IP
workable with starttls (tcp 143) and imaps (tcp 993), I have the the default self signed certificate and I use the external IP
so not reproducible…do you use an external exchange server, what is your email server
cc @davidep
Thanks for the Answer.
I teste with SSL on Port 993 and with STARTTLS on Port 143. On both I get the same Error. In Outlook both work after i accept the not trusted certificate.
Regards
Thanks for the answer an your help . It is an old exchange server. I use the internal / local IP address. Both, the nethserver and the exchange server are only internal and have no (valid) certificcates.
Well i think you have some clues, please you can follow the documentation. I bet the root cause is exchange
https://imapsync.lamiral.info/FAQ.d/FAQ.Exchange.txt
Try with a custom task. The exchange case was not a study case mainly because I do not have one in my hand
Sorry for the delay.
And thanks for the Help.
I tried again and make screenshots.
Out of the log:
[1:imapsync1:agent@imapsync1] task/module/imapsync1/880a39ae-9e5e-4ed5-8ef5-d8c1c9c2f6e1: action “create-task” status is “validation-failed” (4) at step 30Imapsync_validation
[1:imapsync1:imapsync] Err 1/1: Host1 failure: can not open imap connection on host1 [192.168.101.254] with user [username]: Unable to connect to 192.168.101.254: SSL connect attempt failed error:0A000102:SSL routines::unsupported protocol
Out of the log:
[1:imapsync1:agent@imapsync1] task/module/imapsync1/0ed9aef8-12cf-455c-b32e-c4637e9fab51: action “create-task” status is “validation-failed” (4) at step 30Imapsync_validation
[1:imapsync1:imapsync] Err 1/1: Host1 failure: Can not go to tls encryption on host1 [192.168.101.254]: Unable to start TLS: SSL connect attempt failed error:0A000102:SSL routines::unsupported protocol
I don’t know why i get “unsupported protocol”.
With Outlook IMAP it works.
Sorry for the delay.
And thanks for the Help.
i tried:
./imapsync --host1 “192.168.101.254” --user1 “username” --password1 “password” --sslargs1 “SSL_verify_mode=0” --host2 “nethserver” --user2 “username” --password2 “password”
Out of the Log:
Host1: probing ssl on port 993 ( use --nosslcheck to avoid this ssl probe )
Host1: sslcheck did not detected open ssl port 993. Will use standard 143 port.
Host1: connecting and login on host1 [192.168.101.254] port [143] with user [username]
Host1 banner: * OK The Microsoft Exchange IMAP4 service is ready.
Host1: going to ssl because STARTTLS is in CAPABILITY. Use --notls1 or --notls2 to avoid that behavior
Host1 failure: Can not go to tls encryption on host1 [192.168.101.254]: Unable to start TLS: SSL connect attempt failed error:0A000102:SSL routines::unsupported protocol
I don’t know why i get “unsupported protocol”.
With Outlook IMAP it works.
It seems IMAPS on port 993 is firewalled or just not enabled on the Exchange Server.
You could try to connect to IMAP (143) without encryption by removing the --sslargs1
option from the imapsync command.
Maybe you additionally need to add --notls1
and/or --nossl1
to the command, see also https://imapsync.lamiral.info/README
Thanks
As i understood, i need both (–notls1 and --nossl1) for no encryption.
So i tested this.
Out of the log:
Host1 failure: Error login on [192.168.101.254] with user [username] auth [LOGIN]: 2 BAD Command received in Invalid state.
I think this makes sence because the exchange server needs ssl or strattls.
“It seems IMAPS on port 993 is firewalled or just not enabled on the Exchange Server.”
IMAP over port 993 with SSL works with Outlook.
So the port must be open.
(IMAP over port 143 with STARTTLS works also with Outlook.)
I will try to do more test with other parameters.