Hi mailcow community !
I try to migrate some email from gmail to mailcow with imap protocol (and syncjob), but I’m encountering an error : Invalid credentials (Failure), but I’m sure it’s the good password

Here a part of logs :
Host1 banner: * OK Gimap ready for requests from XX.XX.XX.XX 9mXy8445409wry
Host1 capability before authentication: IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH
Host1 info: authmech [LOGIN] user [xxxxx@yyyy.be] authuser [] IsUnconnected []
Host1 failure: Error login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
Host1: failed login on [imap.gmail.com] with user [xxxxx@yyyy.be] auth [LOGIN]

Does anyone know how to do this ?

Is Gmail configured to allow IMAP logins? Please search in Gmail help files how to do this.
You cannot login to IMAP with you gmail password, I guess you have to use an “app password”.

  • Wiz replied to this.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    Hi esackbauer
    thanks for your answer !
    Actually, I’m able to connect via imap in Thunderbird, so I guess the imap connexion is allowed.
    But in Thunderbird, I have a second screen which ask again the login/password and after it switch to an OAUTH2 connexion

    Perhaps this process is blocked in Mailcow.
    Do you able to sync an gmail recently ?

    You almost got it :-). Gmail by default enforcing stronger oauth, you need to lower your security (in gmail) settings to allow login by password (plain login)

    Thank you both for your replies and encouragement.
    I’m going to try to change the settings on the Gmail side, you’ve given me the strength to keep trying now that I know it’s possible.

    Actually, we needed to migrate a lot of email boxes from the Google Workspace for a domain, so we choose another method to do this. We use XOAUTH2
    It’s not clear in the google documentation, but we need first generate a json file with secrets
    This file is describe in imapsync documentation https://imapsync.lamiral.info/FAQ.d/FAQ.XOAUTH2.txt (Q. How to use XOAUTH2 via a json file to globally authenticate gmail users?)

    In mailcow syncjob, just put the absolute path to the secret.json in the password field (/tmp/secret.json). Sure, first we have an error : No such file
    We must put the file inside the dovecot container (which make the imapsync)

    docker exec -ti mailcowdockerized-dovecot-mailcow-1 bash

    echo '{
    “type”: “service_account”,
    “project_id”: “project-name”,
    “private_key_id”: “YYYYYYYYYYYYYYYYYYYYYYYYYYYYY”,
    “private_key”: “—–BEGIN PRIVATE KEY—–\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=\n—–END PRIVATE KEY—–\n”,
    “client_email”: “test@project-name.iam.gserviceaccount.com”,
    “client_id”: “99999999999999999999”,
    “auth_uri”: “https://accounts.google.com/o/oauth2/auth”,
    “token_uri”: “https://oauth2.googleapis.com/token”,
    “auth_provider_x509_cert_url”: “https://www.googleapis.com/oauth2/v1/certs”,
    “client_x509_cert_url”: “https://www.googleapis.com/robot/v1/metadata/x509/test%project-name.iam.gserviceaccount.com”,
    “universe_domain”: “googleapis.com”
    }' > /tmp/secret.json

    (Be carefull, if you restart your dovecot container, this file will be erase 😉)

    Now, we everytime has an error from google :
    401
    {
    “error”: “unauthorized_client”,
    “error_description”: “Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”
    }

    It’s definitivly an error of settings in gmail service account
    After following this tutorial, we finally succeeded in configuring the google service correctly : ollionorg/google-oauth2-token?tab=readme-ov-file#create-a-service-account

    Hope this will help 🙂)

    Forgot to say, you must add a custom parameter in the syncjob to have XOAUTH :
    –authmech1=XOAUTH2

    No one is typing