asterisk users - Jul 2009 - Zimbra IMAP authentication - SOLVED

Hello, everyone.  No need to read this message.  I'm posting for
documentation for other poor, ignorant slobs like me who are struggling
to pull together the many technologies to make converged networks
happen.  Hopefully, this will help save someone else the time I spent.
I started the below email until I realized I had solved multiple parts
of a compound problem but not all at the same time.  When I put them
together in the right order, it worked.

I did not understand that I needed to use AUTHENTICATE PLAIN and that
such authentication is a single string which pertains to the user and
not the authuser.  Then, once I got the right password parameter name
and figured out that I could not use a distribution list rather than a
real email account for shared voice mail (duh), it all fell into place.
The configuration in the examples below works.  It's a wonder to behold.
Thanks Asterisk developers - John


Hello, all. I'm having a nasty time trying to integrate Asterisk and
Zimbra for voice mail.  No matter whether I use imappassword=,
imappasswd=, or imapsecret=, I get these errors:

[Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP Warning:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
[Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP Warning:
Retrying PLAIN authentication after AUTHENTICATE failed
[Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP Warning:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
[Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP Warning:
Retrying PLAIN authentication after AUTHENTICATE failed
[Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP Warning:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
[Jul  2 19:54:26] ERROR[26609]: app_voicemail.c:2309 mm_log: IMAP Error: Can not
authenticate to IMAP server: AUTHENTICATE failed
[Jul  2 19:54:26] ERROR[26609]: app_voicemail.c:1669 messagecount: Houston we
have a problem - IMAP mailstream is NULL

My voicemail.conf file has lines such as:

10 => xxxxx,Some User,,,imapuser=person at
somewhere.com|imappassword=Y2xlcmljYWxAZWJjLWNvLmNvbXgAemltYnJhbWFuAFNTIVMzcnZpY2VzcEBzc3BocmFzZQ=
I can authenticate via telnet with . authenticate plain using these
passwords.  If it's of any help to anyone, I put together a small script
to produce them:

#!/bin/bash
# Copyright 2009 by John A. Sullivan III, SSI Services, LP
# This script takes a file with a list of email accounts (accountfile) and
# produces a file containing Zimbra PLAIN AUTHENTICATION passwords
# (accountfile.pauth) in the current directory.
# Thus, be sure you have read rights where you run this script.

if [ -z "${1}" ];then
        echo "usage: $(basename ${0}) <accounts file name>"
        exit 5
fi

read -p "What is the admin email account name? " ADMIN
echo "Thank you"
read -s -p "Now what is the admin's password? " APW

LINEOFILE="$(basename ${1}).pauth"
: > "${OFILE}"
while read EADD
do
        echo "${EADD}"
        LINE="$(printf ${EADD}\000${ADMIN}\000${APW} | openssl base64 | tr
-d '\n')"
        echo -e "${EADD}\t${LINE}\n" >> "${OFILE}"
done < "${1}"

Here is a portion of voicemail.conf:

pollmailboxes=yes
pollfreq=60
; IMAP voice mail storage
imapserver=zimbra.ssiservices.biz
imapport=7143 ; Using the Zimbra IMAP proxy at 143 on this station - real IMAP
listens on 7143
expungeonhangup=yes
imapfolder=INBOX
imapflags=notls
;authuser=manager at ssiservices.biz
;authpassword=password

imapgreetings=no


-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

On Thu, 2009-07-02 at 20:59 -0400, John A. Sullivan III
wrote:
> Hello, everyone.  No need to read this message.  I'm posting for
> documentation for other poor, ignorant slobs like me who are struggling
> to pull together the many technologies to make converged networks
> happen.  Hopefully, this will help save someone else the time I spent.
> I started the below email until I realized I had solved multiple parts
> of a compound problem but not all at the same time.  When I put them
> together in the right order, it worked.
> 
> I did not understand that I needed to use AUTHENTICATE PLAIN and that
> such authentication is a single string which pertains to the user and
> not the authuser.  Then, once I got the right password parameter name
> and figured out that I could not use a distribution list rather than a
> real email account for shared voice mail (duh), it all fell into place.
> The configuration in the examples below works.  It's a wonder to
behold.
> Thanks Asterisk developers - John
> 
> 
> Hello, all. I'm having a nasty time trying to integrate Asterisk and
> Zimbra for voice mail.  No matter whether I use imappassword=,
> imappasswd=, or imapsecret=, I get these errors:
> 
> [Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP
Warning: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
> [Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP
Warning: Retrying PLAIN authentication after AUTHENTICATE failed
> [Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP
Warning: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
> [Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP
Warning: Retrying PLAIN authentication after AUTHENTICATE failed
> [Jul  2 19:54:26] WARNING[26609]: app_voicemail.c:2306 mm_log: IMAP
Warning: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
> [Jul  2 19:54:26] ERROR[26609]: app_voicemail.c:2309 mm_log: IMAP Error:
Can not authenticate to IMAP server: AUTHENTICATE failed
> [Jul  2 19:54:26] ERROR[26609]: app_voicemail.c:1669 messagecount: Houston
we have a problem - IMAP mailstream is NULL
> 
> My voicemail.conf file has lines such as:
> 
> 10 => xxxxx,Some User,,,imapuser=person at
somewhere.com|imappassword=Y2xlcmljYWxAZWJjLWNvLmNvbXgAemltYnJhbWFuAFNTIVMzcnZpY2VzcEBzc3BocmFzZQ=>
> I can authenticate via telnet with . authenticate plain using these
> passwords.  If it's of any help to anyone, I put together a small
script
> to produce them:
> 
> #!/bin/bash
> # Copyright 2009 by John A. Sullivan III, SSI Services, LP
> # This script takes a file with a list of email accounts (accountfile) and
> # produces a file containing Zimbra PLAIN AUTHENTICATION passwords
> # (accountfile.pauth) in the current directory.
> # Thus, be sure you have read rights where you run this script.
> 
> if [ -z "${1}" ];then
>         echo "usage: $(basename ${0}) <accounts file name>"
>         exit 5
> fi
> 
> read -p "What is the admin email account name? " ADMIN
> echo "Thank you"
> read -s -p "Now what is the admin's password? " APW
> 
> LINE> OFILE="$(basename ${1}).pauth"
> : > "${OFILE}"
> while read EADD
> do
>         echo "${EADD}"
>         LINE="$(printf ${EADD}\000${ADMIN}\000${APW} | openssl base64
| tr -d '\n')"
>         echo -e "${EADD}\t${LINE}\n" >>
"${OFILE}"
> done < "${1}"
> 
> Here is a portion of voicemail.conf:
> 
> pollmailboxes=yes
> pollfreq=60
> ; IMAP voice mail storage
> imapserver=zimbra.ssiservices.biz
> imapport=7143 ; Using the Zimbra IMAP proxy at 143 on this station - real
IMAP listens on 7143
> expungeonhangup=yes
> imapfolder=INBOX
> imapflags=notls
> ;authuser=manager at ssiservices.biz
> ;authpassword=password
> 
> imapgreetings=no
> 
> 
Hmm . . . I shouldn't have celebrated so quickly.  It suddenly all came
crashing down and I don't understand why.  When I do a packet trace, the
strings being passed as the AUTHENTICATE PLAIN tokens are nothing like
the strings in the voicemail.conf file! Does the conf file want them in
a different format or is it doing something else with them?

Ah, it looks like another part of a compound problem - the age of the
c-client library.  I am running on CentOS 5.3 but the library it uses is
from 2004.  Perhaps it is the combination of very old libc-client and
very new Zimbra.  I installed the latest recommended versions of
c-client (2007e), recompiled, went back to using a single authuser and
authpassword and all is working!
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society