Bug 23035 - kmail fails to authenticate imap connection to gmail
Summary: kmail fails to authenticate imap connection to gmail
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: KDE maintainers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-14 22:33 CEST by Ethan Merritt
Modified: 2018-07-11 19:59 CEST (History)
5 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Ethan Merritt 2018-05-14 22:33:25 CEST
Description of problem:

After upgrade to kmail2 5.7.2 in the recent massive qt5 upgrade I can no longer access gmail accounts.  It is hard to get a reproducible error message. Sometimes it says "cannot authenticate", sometimes it reports a SASL error, sometimes it fails silently.   I believe that if it were possible to force the authentication method to PLAIN in the kmail account configuration widget this would work around the problem.  However as soon as I give imap.gmail.com as a server name the program automatically resets the authentication type to Gmail rather than PLAIN and greys out the widget so that I cannot change it back. 

Note that my kmail+gmail configuration was working fine before the upgrade.
Other imap servers continue to work OK; only the gmail authentication fails.


Version-Release number of selected component (if applicable):


How reproducible:
failure is 100% reproducible
the specific error message is not


Steps to Reproduce:
1.  configure a new or existing mail account in kmail to access imap.gmail.com
2.  try to access mail using this account
3.


I have the following installed

lib64sasl2_3-2.1.26-12.mga6
libsasl2_3-2.1.26-12.mga6
lib64sasl2-plug-plain-2.1.26-12.mga6
lib64sasl2-plug-login-2.1.26-12.mga6
lib64sasl2-plug-ntlm-2.1.26-12.mga6
lib64sasl2-plug-digestmd5-2.1.26-12.mga6


akonadi-kde-17.12.2-1.mga6
lib64kf5akonadicore5-17.12.2-1.mga6
lib64kf5mailtransportakonadi5-17.12.2-1.mga6
lib64akonadiprotocolinternals1-1.13.0-10.mga6
Marja Van Waes 2018-05-15 15:24:17 CEST

Assignee: bugsquad => kde
CC: (none) => marja11

Comment 1 Ethan Merritt 2018-05-15 18:29:42 CEST
More information:

libkgapi-17.12.2-1.mga6

error trace from journalctl
%%%%%%%%%%%%%%%%%%%
May 14 10:15:01 himeji akonadi_imap_resource[27732]: No worthy mechs found
May 14 10:15:01 himeji akonadi_imap_resource[27732]: org.kde.pim.kimap: sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found"
May 14 10:15:01 himeji akonadi_imap_resource[27732]: org.kde.kgapi.raw: Requesting token refresh:  "client_id=554041944266.apps.googleusercontent.com&client_secret=mdT1Dj
May 14 10:15:01 himeji akonadi_imap_resource[27732]: org.kde.kgapi: Queued QUrl("https://accounts.google.com/o/oauth2/token")
May 14 10:15:01 himeji akonadi_imap_resource[27732]: org.kde.kgapi: KGAPI2::AuthJob(0x1b8c5d0) Dispatching request to QUrl("https://accounts.google.com/o/oauth2/token")
May 14 10:15:01 himeji akonadi_imap_resource[27732]: org.kde.kgapi.raw: "client_id=554041944266.apps.googleusercontent.com&client_secret=mdT1DjzohxxxnpUUzkENT0gO&refresh_
May 14 10:15:03 himeji akonadi_vcard_resource[27808]: "No file selected."
May 14 10:15:03 himeji akonadi_vcard_resource[27819]: "No file selected."
May 14 10:15:03 himeji akonadi_vcard_resource[27818]: "No file selected."
May 14 10:15:05 himeji akonadi_imap_resource[27732]: org.kde.kgapi: Received reply from QUrl("https://accounts.google.com/o/oauth2/token")
May 14 10:15:05 himeji akonadi_imap_resource[27732]: org.kde.kgapi: Status code:  200
May 14 10:15:05 himeji akonadi_imap_resource[27732]: org.kde.kgapi.raw: "{\n  \"access_token\" : \"ya29.Gly7BRJTpBIKaP9EfIUNs6IyMLThrbFqDzlqNO8P1YbeexxgA8rDAEvtISiZaR-J2c
May 14 10:15:05 himeji akonadi_imap_resource[27732]: org.kde.kgapi: 
May 14 10:15:05 himeji akonadi_imap_resource[27732]: qt.network.ssl: QSslSocket::startClientEncryption: cannot start handshake on non-plain connection
%%%%%%%%%%%%%%%%%%%



partial work-around:

In the kmail account configuration widget if I provide a single IP address from the imap.gmail.com block then it allows me to set PLAIN authentication rather than GMAIL authentication.  This works and I can access my mail.  But it is obviously fragile compared to giving the generic name for DNS resolution.

proposed fix:

It's fine that kmail sets the default authentication method to GMAIL if it recognizes the server as a gmail server.  But it should not disable manual selection of the authentiation mode.  That way if the special-case authentication fails, the user can back off to PLAIN authentication.
Ulrich Beckmann 2018-05-15 21:29:24 CEST

CC: (none) => bequimao.de
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22655

Comment 2 Arne Spiegelhauer 2018-05-18 16:06:42 CEST
I got the same journal logs.
Found this: https://bugs.kde.org/show_bug.cgi?id=375410
Adding libkdexoauth2.so as a symbolic link to libkdexoauth2.so.3.0.0 as suggested in comment 3 solved the problem.

CC: (none) => gm2.asp

Comment 3 Ethan Merritt 2018-05-18 19:38:47 CEST
Adding the symlink produces a different failure mode, but it still does not complete the authentication process. I added the symlink in both /usr/lib/sasl2 and /usr/lib64/sasl2.

New log:

May 18 10:31:52 himeji akonadi_imap_resource[10018]: attempting client step after doneflag
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.pim.kimap: sasl_client_step failed with: -1 "SASL(0): successful result: "
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi.raw: Requesting token refresh:  "client_id=554041944266.apps.googleusercontent.com&client_secret=mdT1DjzohxN3npUUzkENT0gO&refresh_token=1/Ikby5iK7FBbK_G3x1r32KsYpwuVyp1QjAhM8Eu5GpxxNCp5T_yyFFpxcn2iMa1xb&grant_type=refresh_token"
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi: Queued QUrl("https://accounts.google.com/o/oauth2/token")
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi: KGAPI2::AuthJob(0x1738ee0) Dispatching request to QUrl("https://accounts.google.com/o/oauth2/token")
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi.raw: "client_id=554041944266.apps.googleusercontent.com&client_secret=mdT1DjzohxN3npUUzkENT0gO&refresh_token=1/Ikby5iK7FBbK_G3x1r32KsYpwuVyp1QjAhM8Eu5Gp8BNCp5T_yyFFpxcn2iMa1xb&grant_type=refresh_token"
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi: Received reply from QUrl("https://accounts.google.com/o/oauth2/token")
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi: Status code:  200
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi.raw: "{\n  \"access_token\" : \"ya29.Glu_BTgc-OIIaooajDd1YEsFVeXyVECWxhZ2rrQZhQl4CHTXWrIRhXOn3ycU0_f3soA4KXzOG9zb-_ko54cTJuq3mpI0SMzYSbxJ9YblIlPrZRZFshzYbtRAgHo9\",\n  \"expires_in\" : 3600,\n  \"id_token\" : \"eyJhbGciOiJSUzI1NiIsImtpZCI6IjAyOWYyNjlmM2YwNmFmMWU5M2RhYzY3MDYzOTc3ZjcxM2E3N2YxOWUifQ.eyJhenAiOiI1NTQwNDE5NDQyNjYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI1NTQwNDE5NDQyNjYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDYzMzEwMDM2NDAxNTcyOTU5OTAiLCJoZCI6InV3LmVkdSIsImVtYWlsIjoibWVycml0dEB1dy5lZHUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6ImhCV3VOU0NIR1NHNHBCeVNMS3E1QmciLCJleHAiOjE1MjY2NjgzMTMsImlzcyI6ImFjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE1MjY2NjQ3MTN9.KH43YBccAEV1taxcRr_8qIzivcHQoaG1o4KMgtBhFc-51324-sSYzR_KCNmsjgF6rvU8-ButqDiiDu6SJnsw9KskQBwXTDZNrG0d1HwUkH_IEu4MtgYbZN37FBzcyYYk71gpuNSgr-sh0eK_H8Z3asj5XNVf4FEiNvGtInuBWc5zBfMHSgevSBR2Luv4Vu3jC_IjMcmM4z4934z_ahK-4gyiUDoVHz7k07TUZYtHGXMrmtiA3WGOx6lqoTPuruKwffkpzQU_wJxuZoe_YKzqCV1UOxKPYMAl2WxQ94MZSvLzNsEJxhkYPu7HURG8sRdVdY5D_QZXqyk70mRkAfkD8A\",\n  \"token_type\" : \"Bearer\"\n}"
May 18 10:31:52 himeji akonadi_imap_resource[10018]: org.kde.kgapi: 
May 18 10:31:52 himeji akonadi_imap_resource[10018]: qt.network.ssl: QSslSocket::startClientEncryption: cannot start handshake on non-plain connection


FWIW the same problem is present in Cauldron
Comment 4 Arne Spiegelhauer 2018-05-18 20:39:25 CEST
I have also got this log sequence 3 times in the journal since I added the symlink. Nevertheless kmail seems to work fine with my gmail account.
Maybe it is just a normal token renewal.
Comment 5 Arne Spiegelhauer 2018-05-19 14:27:52 CEST
Just updated another mga6 system and discovered that the package containing libkdexoauth2.so.3.0.0 (lib64kdexoauth2_3-2:17.12.2-1.mga6.x86_64) wasn't installed, so apparently in addition to the missing symlink, there is a dependency problem.
Comment 6 Ulrich Beckmann 2018-05-19 15:04:01 CEST
Thanks, Arne!

I identified that missing package (lib64kdexoauth2_3), too. The journal is flooded with warnings, while the database is rebuild. It works now, everything is  ok.

# ls -l /usr/lib64/sasl2/libkdexoauth2.so*
lrwxrwxrwx 1 root root    18 May 19 09:53 /usr/lib64/sasl2/libkdexoauth2.so -> libkdexoauth2.so.3*
lrwxrwxrwx 1 root root    22 Feb 21 19:49 /usr/lib64/sasl2/libkdexoauth2.so.3 -> libkdexoauth2.so.3.0.0*
-rwxr-xr-x 1 root root 19808 Feb 21 19:50 /usr/lib64/sasl2/libkdexoauth2.so.3.0.0*

Ulrich
Comment 7 Ulrich Beckmann 2018-05-21 17:26:17 CEST
@ packager

Please add the symbolic link

# ln -s /usr/lib64/sasl2/libkdexoauth2.so.3 /usr/lib64/sasl2/libkdexoauth2.so

Ulrich
Vincent D 2018-06-02 13:06:39 CEST

CC: (none) => vincent.dema+mageia

Stéphane Pontier 2018-07-11 19:59:51 CEST

CC: (none) => stephane.pontier


Note You need to log in before you can comment on or make changes to this bug.