Bug 378876 - Cannot connect to Gmail server
Summary: Cannot connect to Gmail server
Status: RESOLVED DOWNSTREAM
Alias: None
Product: kimap
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: git
Platform: Neon Linux
: NOR critical
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-17 14:16 UTC by Luis Silva
Modified: 2017-04-22 16:41 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luis Silva 2017-04-17 14:16:12 UTC
Using KDE neon dev/unstable, kmail2 stopped retrieving mails from gmail. 
Deleting and creating a new resource results in the same problem.
I think I traced the problem back to the imap resource and kimap not being able to authenticate with the server. 

When launching akonadi and kmail from the command line I get the following errors:

org.kde.pim.kimap: Connection to server lost  0
org.kde.pim.imapresource: Session login cancelled
org.kde.pim.kimap: sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found"

and at the end of each sync attempt:

qt.network.ssl: QSslSocket::startClientEncryption: cannot start handshake on non-plain connection


This happens for both single and double factor authentication.
All sasl and qca libraries and plugins are installed.
Comment 1 Daniel Vrátil 2017-04-19 15:43:02 UTC
Please provide output of "pluginviewer -c"
Comment 2 Luis Silva 2017-04-20 06:04:15 UTC
> saslpluginviewer -c
Installed and properly configured SASL (client side) mechanisms are:
  GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 LOGIN PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
  GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 LOGIN PLAIN ANONYMOUS
List of client plugins follows
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSS-SPNEGO, best SSF: 56
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: SERVER_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Comment 3 Christoph Feck 2017-04-21 13:17:24 UTC
Thanks for the update; changing status.
Comment 4 Andrea Scarpino 2017-04-21 18:56:46 UTC
Confirmed on Arch Linux too after the update to 17.04 from 16.12
Comment 5 Andrea Scarpino 2017-04-21 18:58:17 UTC
Installed and properly configured SASL (client side) mechanisms are:                                                                                                [0/81]
  SCRAM-SHA-1 DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 LOGIN XOAUTH2 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
  SCRAM-SHA-1 DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 LOGIN XOAUTH2 PLAIN ANONYMOUS
List of client plugins follows
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-1, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: SERVER_FIRST
Plugin "kdexoauth2" [loaded],   API version: 4
        SASL mechanism: XOAUTH2, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Comment 6 Christophe Giboudeaux 2017-04-21 20:45:43 UTC
I'm also seeing that with master & openSUSE (using cyrus-sasl 2.1.26)

22:42:38 - akonadi_imap_resource_7(24511) - org.kde.pim.kimap: : Connection to server lost  0
22:42:38 - akonadi_imap_resource_7(24511) - org.kde.pim.imapresource: : Session login cancelled
22:42:38 - akonadi_imap_resource_7(24511) -  KWallet::Wallet::openWallet: Pass a valid window to KWallet::Wallet::openWallet().
22:42:39 - akonadi_imap_resource_7(24511) - org.kde.pim.kimap: : sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found"



Installed and properly configured SASL (client side) mechanisms are:
  SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
  SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS
List of client plugins follows
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-1, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gs2" [loaded],  API version: 4
        SASL mechanism: GS2-IAKERB, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded],  API version: 4
        SASL mechanism: GS2-KRB5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSS-SPNEGO, best SSF: 56
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "otp" [loaded],  API version: 4
        SASL mechanism: OTP, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|FORWARD_SECRECY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: SERVER_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Comment 7 Christophe Giboudeaux 2017-04-22 07:44:41 UTC
(In reply to Christophe Giboudeaux from comment #6)
> I'm also seeing that with master & openSUSE (using cyrus-sasl 2.1.26)
> 
case solved here after exporting SASL_PATH to load the kdexoauth2 plugin from my local installation.
Comment 8 Daniel Vrátil 2017-04-22 11:09:51 UTC
Luis,

your KDE installation is not finding the kdexoauth2 SASL plugin. The plugin must be installed in /usr/lib(64)/sasl2, or you have to point SASL_PATH environment variable to the location where the plugin is installed (if you compile into non-standard prefix for instance).


Andrea had a different problem where due to migration issue the IMAP resource wasn't using the correct authentication mechanism, we sorted that our on IRC.
Comment 9 Daniel Vrátil 2017-04-22 11:36:41 UTC
Git commit c9ae16363e68d6958db0cd835cb0180b340594b5 by Daniel Vrátil.
Committed on 22/04/2017 at 11:31.
Pushed by dvratil into branch 'Applications/17.04'.

[IMAP] Fix migration to new Gmail authentication

Currently the settings would be migrated only if user opened the
Settings dialog. The GmailPasswordRequester expects that the server
settings is migrated correctly and always tries to authenticate via
XOAUTH2, even if the configuration says "PLAIN" or other mechanism.
This breaks login as we try to send XOAUTH2 tokens as PLAIN credentials.

This change ensures that the encryption and auth mechanism settings
is correctly migrated on resource startup.
Related: bug 378857

M  +12   -0    resources/imap/settings.cpp

https://commits.kde.org/kdepim-runtime/c9ae16363e68d6958db0cd835cb0180b340594b5
Comment 10 Daniel Vrátil 2017-04-22 16:41:36 UTC
There's a bug in Kubuntu/Neon packaging: https://bugs.kde.org/show_bug.cgi?id=379089

Closing as a downstream issue.