#73 add support for imap id extension

[shanyi]

Unsafe login with 163 emails

env

version: e70c300f7446ba6ec1259f459a0f0e1d2d592ed9
OS: MacOS

~/.mbsyncrc

IMAPAccount 163account1
Host imap.163.com
User xxx
Pass xxxx
TLSType IMAPS
AuthMechs LOGIN
Port 993

IMAPStore 163account1-remote
Account 163account1

MaildirStore 163account1-local
Path ~/Mail/163account1/
INBOX ~/Mail/163account1/INBOX
SubFolders Verbatim

Channel 163account1
Far :163account1-remote:
Near :163account1-local:
Patterns *
Create Both
Expunge Both
SyncState *

error

run mbsync -a, then...

......
Opening far side box INBOX...
F: [ 66] Enter open_box
F: >>> 11 SELECT "&g0l6P3ux-"
F: [ 66] Leave open_box
Opening near side box INBOX...
F: [ 65] Callback leave open_box
F: 11 NO SELECT Unsafe Login. Please contact kefu@188.com for help
F: [ 66] Callback enter open_box, sts=2
Error: channel 163account1: both far side INBOX and near side INBOX cannot be opened.
F: Enter free_store
F: Leave free_store
N: Enter free_store
N: Leave free_store
F: >>> 12 LOGOUT
F: >>> 26 LOGOUT
F: [ 66] Callback leave open_box
F: * BYE IMAP4rev1 Server logging out
F: 12 OK LOGOUT completed
F: * BYE LOGOUT received
F: 26 OK LOGOUT Completed
Processed 14 box(es) in 2 channel(s),
pulled 0 new message(s) and 0 flag update(s),
expunged 0 message(s) from near side,
pushed 0 new message(s) and 0 flag update(s),
expunged 0 message(s) from far side.

F: 11 NO SELECT Unsafe Login. Please contact kefu@188.com for help

Solution to the error

The IMAP server at imap.163.com implemented the IMAP ID extension. To successfully authenticate, the IMAP client must send client ID.

ref:

• https://github.com/OfflineIMAP/offlineimap/issues/696
• https://help.mail.163.com/faqDetail.do?code=d7a5dc8471cd0c0e8b4b8f4f8e49998b374173cfe9171305fa1ce630d7f67ac2eda07326646e6eb0
• https://www.ietf.org/rfc/rfc2971.txt

I tried to modify the source code, but I am not familiar with C language, it is impossible to deal with. I hope it can be repaired as soon as possible, thank you very much.

[shanyi]

https://github.com/OfflineIMAP/offlineimap3/issues/71

[Oswald Buddenhagen]

i can implement that, but the RFC states rather plainly that the server must not make operation dependent on it. it is blatantly and intentionally violating the standard.

[shanyi]

I completely agree with your perspective. This security check is nonsense.

[shanyi]

However, I believe that implementing this feature could greatly benefit users facing similar challenges without compromising the project's integrity.

Given the significant user base and the widespread use of NetEase services, accommodating their requirements becomes essential for ensuring compatibility and user satisfaction. While it's not ideal to have to adjust for such specific demands, doing so can help maintain a seamless experience for a large number of users.

To address this, I propose adding a configurable option within our application. This way, users who need to interact with NetEase's servers can enable this feature, while others can leave it disabled, thus adhering to the standard behavior. This approach allows for flexibility and respects the diverse needs of our user base.

Thank you very much for considering this request. I am truly grateful for your efforts in maintaining isync and for your commitment to its users. Your work does not go unnoticed, and I look forward to any possibility of accommodating this feature in the future.

[Oswald Buddenhagen]

is 163.com still misbehaving this way?

[Oswald Buddenhagen]

due to lack of followup i'm assuming that this has become a non-issue.

[Derren Brown]

I have written an email to kefu@188.com on this issue, In the mean time, would you consider implement this?

[Oswald Buddenhagen]

so it appears that the various netease domains weren't fixed ....

[Derren Brown]

126.com, 163.com and possibly 188.com. from the response I get, I don't think they have any plan to fix this though. I couldn't even get to the tech team

[Derren Brown]

they only offer this, as @shanyi posted in the link(https://help.mail.163.com/faqDetail.do?code=d7a5dc8471cd0c0e8b4b8f4f8e49998b374173cfe9171305fa1ce630d7f67ac2eda07326646e6eb0):

********************代码块区域开始********************

Properties props = new Properties(); 
props.setProperty("mail.store.protocol", "imap"); 
props.setProperty("mail.imap.host", "imap.163.com"); 
props.setProperty("mail.imap.port", "143"); 

HashMap IAM = new HashMap();
//带上IMAP ID信息，由key和value组成，例如name，version，vendor，support-email等。
IAM.put("name","myname");      
IAM.put("version","1.0.0");      
IAM.put("vendor","myclient");      
IAM.put("support-email","testmail@test.com");  
Session session = Session.getInstance(props); 

IMAPStore store = (IMAPStore) session.getStore("imap");
//下方替换对应账号和授权码
store.connect("testmail@163.com", "password"); 

store.id(IAM);

********************代码块区域结束********************

[Derren Brown]

I Asked Coding Agent to fix this for me. here's what I got:

it a/src/drv_imap.c b/src/drv_imap.c
index 9b170ab..7b7f607 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -9,6 +9,7 @@
 #include "imap_p.h"

 #include "socket.h"
+#include "config.h"

 #include <ctype.h>
 #include <sys/wait.h>
@@ -2088,6 +2089,8 @@ static void imap_open_store_authenticate_p3( imap_store_t *, imap_cmd_t *, int )
 static void imap_open_store_authenticate2( imap_store_t * );
 static void imap_open_store_authenticate2_p2( imap_store_t *, imap_cmd_t *, int );
 static void imap_open_store_authenticate2_p3( imap_store_t *, imap_cmd_t *, int );
+static void imap_open_store_id( imap_store_t * );
+static void imap_open_store_id_p2( imap_store_t *, imap_cmd_t *, int );
 static void imap_open_store_compress( imap_store_t * );
 #ifdef HAVE_LIBZ
 static void imap_open_store_compress_p2( imap_store_t *, imap_cmd_t *, int );
@@ -2718,7 +2721,7 @@ imap_open_store_authenticate2_p2( imap_store_t *ctx, imap_cmd_t *cmd ATTR_UNUSED
                if (!ctx->caps || ctx->capability_hack)
                        imap_exec( ctx, NULL, imap_open_store_authenticate2_p3, "CAPABILITY" );
                else

-                       imap_open_store_compress( ctx );
+                       imap_open_store_id( ctx );
        }
 }

@@ -2728,7 +2731,26 @@ imap_open_store_authenticate2_p3( imap_store_t *ctx, imap_cmd_t *cmd ATTR_UNUSED
        if (response == RESP_NO)
                imap_open_store_bail( ctx, FAIL_FINAL );
        else if (response == RESP_OK)

-               imap_open_store_compress( ctx );
+               imap_open_store_id( ctx );
+}
+
+static void
+imap_open_store_id( imap_store_t *ctx )
+{
+       /* Always send ID command with hardcoded client information */
+       if (DFlags & DEBUG_NET)
+               printf( "%s: Sending ID command\n", ctx->label );
+
+       imap_exec(ctx, NULL, imap_open_store_id_p2,
+                 "ID (\"name\" \"%s\" \"version\" \"%s\" \"vendor\" \"%s\")",
+                 PACKAGE, PACKAGE_VERSION, PACKAGE);
+}
+
+static void
+imap_open_store_id_p2( imap_store_t *ctx, imap_cmd_t *cmd ATTR_UNUSED, int response ATTR_UNUSED )
+{
+       /* ID command is optional, so we ignore failures and continue */
+       imap_open_store_compress( ctx );
 }

 static void

Happy to say it actually worked!
I'm no C expert, but the code looks to me just injected an ID command after authentication, Would you take a look at this, I don't know how to do pull request on this site. @ossi

[Oswald Buddenhagen]

which coding agent exactly was that?

the patch looks about correct, except that the actual ID string is mildly stupid. i'll have to check the spec for the correct fields and command order.

[Derren Brown]

Zed editor with a deepseek chat model
to be fair, it did a lot of capability and domain checks, i asked it to remove those