IMAPsync/FAQ.d/FAQ.OnlineUI.txt

#!/bin/cat
$Id: FAQ.OnlineUI.txt,v 1.36 2022/09/14 11:18:05 gilles Exp gilles $

This document is also available online at
https://imapsync.lamiral.info/FAQ.d/
https://imapsync.lamiral.info/FAQ.d/FAQ.OnlineUI.txt

=====================================================================
   Imapsync tips about the online visual user interfaces
   https://imapsync.lamiral.info/X/
=====================================================================

Questions answered in this FAQ are:

Q. Can I launch several imap synchronizations on the visual 
   user interface /X?

Q. How secure is the online visual user interface /X?

Q. Does the online service store any sensitive information 
   like my passwords?

Q. I want to switch from the visual interface /X to the 
   imapsync command line or to the script examples
   https://imapsync.lamiral.info/#DOC_BASIC
   What should I know?

Q. Shall I have issues when the browser times out?
   What happens if the browser connection is closed for whatever reason?

Q. Shall I have issues when the webserver times out? What happens
   if the web server closes the connection for whatever reason?

Q. The sync stalls at the beginning, just after a line like:
   "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
   What is the problem?

Q. The synchronization fails with the error message like:
   Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED

Now the questions again with their answers.

=====================================================================
Q. Can I launch several imap synchronizations on the visual 
   user interface /X?

A. Yes. Open several tabs/windows on your browser and fill each one
   with different credentials.

=====================================================================
Q. How secure is the online visual user interface /X?

A0. Well, I don't know if asking the provider whether his online
service is secure or not would be of any interest.
Let's do it anyway, you'll be the judge.

A1. Some figures

Date of this report: 24 December 2021. Happy Christmas!

The online imapsync service /X started 9 January 2017,
5 years ago (1810 days of service).

On average, /X has 51 users per day, each user lunches on average
6 account migrations, from just 1 launch to many (hundreds).

The total volume /X transferred so far is around 240 TiB coming 
from nearly 520 000 imap account migrations and 810 million email messages.

A2. Pros & Cons

The online imapsync service /X runs on HTTPS only, with a letsencrypt
certificate, an up to date certificate overall rated "A+" at
https://www.ssllabs.com/ssltest/analyze.html?d=imapsync.lamiral.info

Because of the HTTPS usage, what the users enter in their browser, the
imap logins and passwords, can't be eavesdropped on the network.

Imapsync itself takes care of encryption for the imap sessions, if
possible. First, imapsync tries to use SSL on port 993, then TLS on
port 143 if the servers announce TLS, then no encryption at all.
Concerning encryption, what is done with the source imap server host1
is independent of what is done with the destination imap server host2.

On the date of 24 December 2021, there is no security problem detected
or reported to me (Gilles LAMIRAL), so far.

Concerning the Log4j threats, the imapsync server doesn't use Log4j at
all, so it should be safe about this issue.

Feel free to attack the service and feel free to report any hole
encountered. Have in mind that I can watch what you do from the
server-side, and then take measures if the service suffers from your
acts. Drop me a note before will be fair play and I will let you act
as harsh as you can.

As the owner of the service, it could have been 520 000 pairs of
credentials collected and nearly 240 terabytes of email messages.
That's massive. I haven't kept them but I can't prove I haven't. It's
just trust, like nearly every online service in the universe.

Concerning imapsync transfers, the imap server certificates are not
checked for authenticity by default because too many imap servers are
crappy configured regarding their certified certificates.

This default behavior is chosen like this because users of /X
want their emails transferred, instead of being not transferred
because of an incompetent imap server sysadmin.

I admit that this part, checking imap ssl/tls certificates,
could be improved from my side by including well known
certificates directly in imapsync.

If an imap server doesn't honor ssl nor tls, then logins, passwords
and everything will go clear text during the imap transfers.  That's
not good at all! But what "comforts" me is that if an imap server does
only clear text transfers, then it's also true for all the imap
sessions the account owner encounters, imapsync is just one of them;
the imap servers are then always unsecured for any imap software
client.

Last point, who could be sure that no cracker cracked the online hosts
and that he isn't currently sniffing the credentials?

No one! I'm not sure myself, even if I do take care of that
possibility. So changing the imap accounts passwords after
the sync is a safe and recommended practice! You can even
change the password just after imapsync has started its job, 
just after a successful login. This way you know the previously 
given password is no longer working just after imapsync has
started its job.

=====================================================================
Q. Does the online service store any sensitive information 
   like my passwords?

No.

The online passwords are kept by your browser. The goal is that the
next time you run a sync from your browser, all the parameters are
already there without having to re-enter them.  The save is done when
you click on the "Sync or resync" green button. So, if you don't want
your browser to keep your password, enter a wrong one or empty the
password field and click on the "Sync or resync" green button, the
wrong password will be saved in your browser and no sync will be done,
since a correct login is mandatory to do anything on your mailboxes.

=====================================================================
Q. I want to switch from the visual interface /X to the 
   imapsync command line or to the script examples
   https://imapsync.lamiral.info/#DOC_BASIC
   What should I know?

A. Let's do some ascii art. 
   The visual interface looks roughly like this, for the textfields input part:

+------------------------------------------+------------------------------------------+
|          IMAP source Mailbox             |        IMAP destination Mailbox          |
|                                          |                                          |
| Login (usually an email address)         | Login (usually an email address)         |
|                                          |                                          |
|    test1                                 |    test2                                 |
|                                          |                                          |
| Password                                 | Password                                 |
|                                          |                                          |
|    secret1                               |    secret2                               |
|                                          |                                          |
| IMAP Server hostname (or its IP address) | IMAP Server hostname (or its IP address) |
|                                          |                                          |
|     test1.lamiral.info                   |     test2.lamiral.info                   |
|                                          |                                          |
+------------------------------------------+------------------------------------------+

Notice the 6 examples values I put in the previous "picture":

* test1
* secret1
* test1.lamiral.info

* test2
* secret2
* test2.lamiral.info


The corresponding imapsync command line on Windows is:

imapsync.exe  --host1 "test1.lamiral.info"  --user1 "test1" --password1  "secret1"  ^
              --host2 "test2.lamiral.info"  --user2 "test2" --password2  "secret2"

The order of the  parameters is whatever you want as long as you respect each pair 
like: --optionname "value"

There is no need to type this in a command prompt window, just use the example script 
https://imapsync.lamiral.info/examples/imapsync_example.bat


The corresponding imapsync command line on Linux is:

imapsync  --host1 "test1.lamiral.info"  --user1 "test1" --password1  "secret1"  \
          --host2 "test2.lamiral.info"  --user2 "test2" --password2  "secret2"

There is no need to type this in a command prompt window, just use the example script 
https://imapsync.lamiral.info/examples/imapsync_example.sh

=====================================================================
Q. Shall I have issues with the browser timing out?
   What happens if the browser connection is closed for whatever reason?

A. A browser connection closed closes also the imapsync process, 
   ie, the sync is ended right away.

Further comments on this behavior.

When using the /X interface there are three connections.
One connection is the Browser/WebServer connection,
the two other connections are the WebServer/ImapServers
connections (imapsync stuff).

If the Browser/WebServer connection timeouts or ends,
the imapsync sync is also ended immediately by the remote
Apache HTTPS server. Technically, Apache sends a TERM signal
to the imapsync process, then wait some seconds before
sending a KILL signal if the imapsync process is still alive.

You can relaunch the sync with the "Sync!" button, at any time.
If the "Sync!" button is gray/inactive then just reload
the page (F5 or similar), and reenter the credentials.

If the interface tells you that the sync is already going on,
it may be that the sync is running from another browser or place.
You can stop this sync with the "Abort!" button from any /X
tab/window, even from another browser or place. To be able
to abort with success, you have to give the same account
parameters, same credentials, or imapsync will ignore the demand.

In other words, you can try safely to launch several parallel
runs between the same mailboxes. Open a new tab/windows with /X,
and start the same sync. It's safe, the /X page will say that
there is already one sync running and it will present
the logfile running the sync like a "tail -f" command (isn't that magic?).

=====================================================================
Q. Shall I have issues when the webserver times out? What happens
   if the web server closes the connection for whatever reason?

A. If the webserver closes the connection then usually it also 
   kills the imapsync process and the imap connections as well.

The current webserver timeout at 
https://imapsync.lamiral.info/X/
is 3600 secondes, one hour.

=====================================================================
Q. The sync stalls at the beginning, just after a line like:
   "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
   What is the problem?

A. I've seen this issue on /X with the imap server
   CommuniGate Pro IMAP Server 6.0.11

The issue looks related to special characters in the password.
Solution for now: change the password, keep only standard (ASCII) 
alphanumeric characters ABC-YZ abc-yz 012-89.

=====================================================================
Q. The synchronization fails with the error message like:
   Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED

A. The message "[ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED" comes directly 
   from the IMAP server at 10.1.161.155

It looks like that the 10.1.161.155 imap server filters incoming 
connexions based on their IPS. In that case, here are the current 
IPs of the imapsync online service (September 2022):

ks5.lamiral.info      has address      91.121.221.224
ks5ipv6.lamiral.info  has IPv6 address 2001:41d0:2:84e0::1
ks6.lamiral.info      has address      5.39.87.81
ks6ipv6.lamiral.info  has IPv6 address 2001:41d0:8:9951::1
ks7.lamiral.info      has address      5.135.177.225
ks7ipv6.lamiral.info  has IPv6 address 2001:41d0:8:b8e1::1
i050.lamiral.info     has address      213.32.72.139
i050ipv6.lamiral.info has IPv6 address 2001:41d0:302:1000::155d
vp3.lamiral.info      has address      51.178.81.27
vp3ipv6.lamiral.info  has IPv6 address 2001:41d0:404:200::4d81
vp4.lamiral.info      has address      51.38.34.201
vp4ipv6.lamiral.info  has IPv6 address 2001:41d0:305:2100::4c46

The imapsync online service may contact your imap server with one
or more of those IP addresses.

CPhulk of Cpannel has a buildin country block that can cause this behavior.
Later on you may encountered issues with maximum sessions per ip.
You can change that within cPannel.

https://support.cpanel.net/hc/en-us/articles/4406663082519-What-is-cPHulk-
https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/

=====================================================================
=====================================================================