Migrate email from gmail

Hi mailcow community !
I try to migrate some email from gmail to mailcow with imap protocol (and syncjob), but I’m encountering an error : Invalid credentials (Failure), but I’m sure it’s the good password

Here a part of logs :
Host1 banner: * OK Gimap ready for requests from XX.XX.XX.XX 9mXy8445409wry
Host1 capability before authentication: IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH
Host1 info: authmech [LOGIN] user [xxxxx@yyyy.be] authuser [] IsUnconnected []
Host1 failure: Error login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
Host1: failed login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]

Does anyone know how to do this ?

Hi esackbauer
thanks for your answer !
Actually, I’m able to connect via imap in Thunderbird, so I guess the imap connexion is allowed.
But in Thunderbird, I have a second screen which ask again the login/password and after it switch to an OAUTH2 connexion

Perhaps this process is blocked in Mailcow.
Do you able to sync an gmail recently ?

Thank you both for your replies and encouragement.
I’m going to try to change the settings on the Gmail side, you’ve given me the strength to keep trying now that I know it’s possible.

Actually, we needed to migrate a lot of email boxes from the Google Workspace for a domain, so we choose another method to do this. We use XOAUTH2
It’s not clear in the google documentation, but we need first generate a json file with secrets
This file is describe in imapsync documentation https://imapsync.lamiral.info/FAQ.d/FAQ.XOAUTH2.txt (Q. How to use XOAUTH2 via a json file to globally authenticate gmail users?)

In mailcow syncjob, just put the absolute path to the secret.json in the password field (/tmp/secret.json). Sure, first we have an error : No such file
We must put the file inside the dovecot container (which make the imapsync)

docker exec -ti mailcowdockerized-dovecot-mailcow-1 bash

echo '{
“type”: “service_account”,
“project_id”: “project-name”,
“private_key_id”: “YYYYYYYYYYYYYYYYYYYYYYYYYYYYY”,
“private_key”: “—–BEGIN PRIVATE KEY—–\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=\n—–END PRIVATE KEY—–\n”,
“client_email”: “test@project-name.iam.gserviceaccount.com”,
“client_id”: “99999999999999999999”,
“auth_uri”: “https://accounts.google.com/o/oauth2/auth”,
“token_uri”: “https://oauth2.googleapis.com/token”,
“auth_provider_x509_cert_url”: “https://www.googleapis.com/oauth2/v1/certs”,
“client_x509_cert_url”: “https://www.googleapis.com/robot/v1/metadata/x509/test%project-name.iam.gserviceaccount.com”,
“universe_domain”: “googleapis.com”
}' > /tmp/secret.json

(Be carefull, if you restart your dovecot container, this file will be erase )

Now, we everytime has an error from google :
401
{
“error”: “unauthorized_client”,
“error_description”: “Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”
}

It’s definitivly an error of settings in gmail service account
After following this tutorial, we finally succeeded in configuring the google service correctly : ollionorg/google-oauth2-token?tab=readme-ov-file#create-a-service-account

Hope this will help )

Forgot to say, you must add a custom parameter in the syncjob to have XOAUTH :
–authmech1=XOAUTH2