#!/bin/cat $Id: FAQ.OnlineUI.txt,v 1.46 2023/12/31 18:19:39 gilles Exp gilles $ This document is also available online at https://imapsync.lamiral.info/FAQ.d/ https://imapsync.lamiral.info/FAQ.d/FAQ.OnlineUI.txt ===================================================================== Imapsync tips about the online visual user interfaces https://imapsync.lamiral.info/X/ ===================================================================== Questions answered in this FAQ are: Q. Can I launch several imap synchronizations on the visual user interface /X? Q. How secure is the online visual user interface /X? Q. Does the online service store any sensitive information like my passwords? Q. Where is the entered data on the website be stored? Q. I want to switch from the visual interface /X to the imapsync command line or to the script examples https://imapsync.lamiral.info/#DOC_BASIC What should I know? Q. Shall I have issues when the browser times out? What happens if the browser connection is closed for whatever reason? Q. Shall I have issues when the webserver times out? What happens if the web server closes the connection for whatever reason? Q. The sync stalls at the beginning, just after a line like: "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN" What is the problem? Q. The synchronization fails with the error message like: Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED Now the questions again with their answers. ===================================================================== Q. Can I launch several imap synchronizations on the visual user interface /X? A. Yes. Open several tabs/windows on your browser and fill each one with different credentials. ===================================================================== Q. How secure is the online visual user interface /X? A0. Well, I don't know if asking the provider whether his online service is secure or not would be of any interest. Let's do it anyway, you'll be the judge. A1. Some figures Date of this report: 20 February 2023 with some parts updated later, with dates mentioned. The online imapsync service /X started 9 January 2017, 6 years ago (2233 days of service, days_since_first_use_all_times). On average in 2022, /X has 138 users per day, each user lunches on average 3 account migrations, from just one launch to many (hundreds). The total volume /X transferred in 2022 is around 102 TiB coming from nearly 164 000 imap account migrations and 306 million email messages. Data provided from commands "summary_display 2022" and "stat_all 2022". A2. Pros & Cons The online imapsync service /X runs on HTTPS only, with a letsencrypt certificate, an up to date certificate overall rated green "A" at https://www.ssllabs.com/ssltest/analyze.html?d=imapsync.lamiral.info Because of the HTTPS usage, what the users enter in their browser, the imap logins and passwords, can't be eavesdropped on the network. The imapsync website has a mixed history https://observatory.mozilla.org/analyze/imapsync.lamiral.info From F to A+ to F to A+ (30 December 2023). Imapsync itself takes care of encryption for the imap sessions, if possible. First, imapsync tries to use SSL on port 993, then TLS on port 143 if the servers announce TLS, then no encryption at all. Concerning encryption, what is done with the source imap server host1 is independent of what is done with the destination imap server host2. On the date of 20 February 2023, there is no security problem detected or reported to me (Gilles LAMIRAL), so far. Concerning the Log4j threats, the imapsync server doesn't use Log4j at all, so it should be safe about this issue. Feel free to attack the service and feel free to report any hole encountered. Have in mind that I can watch what you do from the server-side, and then take measures if the service suffers from your acts. Droping me a note before will be fair play and I will let you act as harsh as you can. As the owner of the service, it could have been 700 000 pairs of credentials collected and nearly 340 terabytes of email messages. That's massive. I haven't kept them but I can't prove I haven't. It's just trust, like nearly every online service in the universe. Concerning imapsync transfers, the imap server certificates are not checked for authenticity by default because too many imap servers are crappy configured regarding their certified certificates. This default behavior is chosen like this because users of /X want their emails transferred, instead of being not transferred because of an incompetent or absent imap server sysadmin. I admit that this part, checking imap ssl/tls certificates, could be improved from my side by including well known certificates directly in imapsync. If an imap server doesn't honor ssl nor tls, then logins, passwords and everything will go clear text during the imap transfers. That's not good at all! But what "comforts" me is that if an imap server does only clear text transfers, then it's also true for all the imap sessions the account owner encounters, imapsync is just one of them; the imap servers are then always unsecured for any imap software client. Last point, who could be sure that no cracker cracked the online hosts and that he isn't currently sniffing the credentials? No one! I'm not sure myself, even if I do take care of that possibility. So changing the imap accounts passwords after the sync is a safe and recommended practice! You can even change the password just after imapsync has started its job, just after a successful login. This way you know the previously given password is no longer working just after imapsync has started its job. ===================================================================== Q. Does the online service store any sensitive information like my passwords? A. No. The online passwords are kept by your browser. The goal is that the next time you run a sync from your browser, all the parameters are already there without having to re-enter them. The save is done when you click on the "Sync or resync" green button. So, if you don't want your browser to keep your password, enter a wrong one or empty the password field and click on the "Sync or resync" green button, the wrong password will be saved in your browser and no sync will be done, since a correct login is mandatory to do anything on your mailboxes. ===================================================================== Q. Where is the entered data on the website stored? A. The logfile of the imapsync session, the output you see along the sync, also all dumped out at the end of a sync, is kept for a while in a dedicated temporary directory. It helps me diagnosis what happened when you contact me for a problem. I also extract data to calculate statistics at the end of the month. ===================================================================== Q. I want to switch from the visual interface /X to the imapsync command line or to the script examples https://imapsync.lamiral.info/#DOC_BASIC What should I know? A. Let's do some ascii art. The visual interface looks roughly like this, for the textfields input part: +------------------------------------------+------------------------------------------+ | IMAP source Mailbox | IMAP destination Mailbox | | | | | Login (usually an email address) | Login (usually an email address) | | | | | test1 | test2 | | | | | Password | Password | | | | | secret1 | secret2 | | | | | IMAP Server hostname (or its IP address) | IMAP Server hostname (or its IP address) | | | | | test1.lamiral.info | test2.lamiral.info | | | | +------------------------------------------+------------------------------------------+ Notice the 6 examples values I put in the previous "picture": * test1 * secret1 * test1.lamiral.info * test2 * secret2 * test2.lamiral.info The corresponding imapsync command line on Windows is: imapsync.exe --host1 "test1.lamiral.info" --user1 "test1" --password1 "secret1" ^ --host2 "test2.lamiral.info" --user2 "test2" --password2 "secret2" The order of the parameters is whatever you want as long as you respect each pair like: --optionname "value" There is no need to type this in a command prompt window, just use the example script https://imapsync.lamiral.info/examples/imapsync_example.bat The corresponding imapsync command line on Linux is: imapsync --host1 "test1.lamiral.info" --user1 "test1" --password1 "secret1" \ --host2 "test2.lamiral.info" --user2 "test2" --password2 "secret2" There is no need to type this in a command prompt window, just use the example script https://imapsync.lamiral.info/examples/imapsync_example.sh ===================================================================== Q. Shall I have issues with the browser timing out? What happens if the browser connection is closed for whatever reason? A. A browser connection closed closes also the imapsync process, ie, the sync is ended right away. Further comments on this behavior. When using the /X interface there are three connections. One connection is the Browser/WebServer connection, the two other connections are the WebServer/ImapServers connections (imapsync stuff). If the Browser/WebServer connection timeouts or ends, the imapsync sync is also ended immediately by the remote Apache HTTPS server. Technically, Apache sends a TERM signal to the imapsync process, then wait some seconds before sending a KILL signal if the imapsync process is still alive. You can relaunch the sync with the "Sync!" button, at any time. If the "Sync!" button is gray/inactive then just reload the page (F5 or similar), and reenter the credentials. If the interface tells you that the sync is already going on, it may be that the sync is running from another browser or place. You can stop this sync with the "Abort!" button from any /X tab/window, even from another browser or place. To be able to abort with success, you have to give the same account parameters, same credentials, or imapsync will ignore the demand. In other words, you can try safely to launch several parallel runs between the same mailboxes. Open a new tab/windows with /X, and start the same sync. It's safe, the /X page will say that there is already one sync running and it will present the logfile running the sync like a "tail -f" command (isn't that magic?). ===================================================================== Q. Shall I have issues when the webserver times out? What happens if the web server closes the connection for whatever reason? A. If the webserver closes the connection then usually it also kills the imapsync process and the imap connections as well. The current webserver timeout at https://imapsync.lamiral.info/X/ is 3600 secondes, one hour. ===================================================================== Q. The sync stalls at the beginning, just after a line like: "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN" What is the problem? A. I've seen this issue on /X with the imap server CommuniGate Pro IMAP Server 6.0.11 The issue looks related to special characters in the password. Solution for now: change the password, keep only standard (ASCII) alphanumeric characters ABC-YZ abc-yz 012-89. ===================================================================== Q. The synchronization fails with the error message like: Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED A. The message "[ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED" comes directly from the IMAP server at 10.1.161.155 It looks like that the 10.1.161.155 imap server filters incoming connexions based on their IPS. In that case, here are the current IPs of the imapsync online service (September 2022): ks5.lamiral.info has address 91.121.221.224 ks5ipv6.lamiral.info has IPv6 address 2001:41d0:2:84e0::1 ks6.lamiral.info has address 5.39.87.81 ks6ipv6.lamiral.info has IPv6 address 2001:41d0:8:9951::1 ks7.lamiral.info has address 5.135.177.225 ks7ipv6.lamiral.info has IPv6 address 2001:41d0:8:b8e1::1 ks8.lamiral.info has address 5.135.176.149 ks8ipv6.lamiral.info has IPv6 address 2001:41d0:8:b795::1 i050.lamiral.info has address 213.32.72.139 i050ipv6.lamiral.info has IPv6 address 2001:41d0:302:1000::155d vp3.lamiral.info has address 51.178.81.27 vp3ipv6.lamiral.info has IPv6 address 2001:41d0:404:200::4d81 vp4.lamiral.info has address 51.38.34.201 vp4ipv6.lamiral.info has IPv6 address 2001:41d0:305:2100::4c46 The imapsync online service may contact your imap server with one or more of those IP addresses. CPhulk of Cpannel has a buildin country block that can cause this behavior. Later on you may encountered issues with maximum sessions per ip. You can change that within cPannel. https://support.cpanel.net/hc/en-us/articles/4406663082519-What-is-cPHulk- https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/ ===================================================================== =====================================================================