Migrate email from gmail

Wiz

Hi mailcow community !
I try to migrate some email from gmail to mailcow with imap protocol (and syncjob), but I’m encountering an error : Invalid credentials (Failure), but I’m sure it’s the good password

Here a part of logs :
Host1 banner: * OK Gimap ready for requests from XX.XX.XX.XX 9mXy8445409wry
Host1 capability before authentication: IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH
Host1 info: authmech [LOGIN] user [xxxxx@yyyy.be] authuser [] IsUnconnected []
Host1 failure: Error login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
Host1: failed login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]

Does anyone know how to do this ?

esackbauer

Is Gmail configured to allow IMAP logins? Please search in Gmail help files how to do this.
You cannot login to IMAP with you gmail password, I guess you have to use an “app password”.

Wiz

Hi esackbauer
thanks for your answer !
Actually, I’m able to connect via imap in Thunderbird, so I guess the imap connexion is allowed.
But in Thunderbird, I have a second screen which ask again the login/password and after it switch to an OAUTH2 connexion

Perhaps this process is blocked in Mailcow.
Do you able to sync an gmail recently ?

esackbauer

Sorry, I do not use gmail. I guess you must use plain text authentication, or look at the imapsync documentation:
https://imapsync.lamiral.info/FAQ.d/FAQ.XOAUTH2.txt

ETNyx

You almost got it :-). Gmail by default enforcing stronger oauth, you need to lower your security (in gmail) settings to allow login by password (plain login)

Wiz

Thank you both for your replies and encouragement.
I’m going to try to change the settings on the Gmail side, you’ve given me the strength to keep trying now that I know it’s possible.

Wiz

Actually, we needed to migrate a lot of email boxes from the Google Workspace for a domain, so we choose another method to do this. We use XOAUTH2
It’s not clear in the google documentation, but we need first generate a json file with secrets
This file is describe in imapsync documentation https://imapsync.lamiral.info/FAQ.d/FAQ.XOAUTH2.txt (Q. How to use XOAUTH2 via a json file to globally authenticate gmail users?)

In mailcow syncjob, just put the absolute path to the secret.json in the password field (/tmp/secret.json). Sure, first we have an error : No such file
We must put the file inside the dovecot container (which make the imapsync)

docker exec -ti mailcowdockerized-dovecot-mailcow-1 bash

echo '{
“type”: “service_account”,
“project_id”: “project-name”,
“private_key_id”: “YYYYYYYYYYYYYYYYYYYYYYYYYYYYY”,
“private_key”: “—–BEGIN PRIVATE KEY—–\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=\n—–END PRIVATE KEY—–\n”,
“client_email”: “test@project-name.iam.gserviceaccount.com”,
“client_id”: “99999999999999999999”,
“auth_uri”: “https://accounts.google.com/o/oauth2/auth”,
“token_uri”: “https://oauth2.googleapis.com/token”,
“auth_provider_x509_cert_url”: “https://www.googleapis.com/oauth2/v1/certs”,
“client_x509_cert_url”: “https://www.googleapis.com/robot/v1/metadata/x509/test%project-name.iam.gserviceaccount.com”,
“universe_domain”: “googleapis.com”
}' > /tmp/secret.json

(Be carefull, if you restart your dovecot container, this file will be erase 😉)

Now, we everytime has an error from google :
401
{
“error”: “unauthorized_client”,
“error_description”: “Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”
}

It’s definitivly an error of settings in gmail service account
After following this tutorial, we finally succeeded in configuring the google service correctly : ollionorg/google-oauth2-token?tab=readme-ov-file#create-a-service-account

Hope this will help 🙂)

Wiz

Forgot to say, you must add a custom parameter in the syncjob to have XOAUTH :
–authmech1=XOAUTH2