IMAP Inbound Email Account: Unable to create new Email-Account -> Missing Auth_SASL package -> DIGEST-MD5 authentication fails

[nick-filmriss]

Creating a new inbound email account failed when trying to select the Monitored Folders, Trash Folder or Sent Folder. The dialog to select the folders flashes very briefly once and the POST request fails with a HTML 500 status. The error message says: Can not authenticate to IMAP server: The Auth_SASL package is required for DIGEST-MD5 authentication.

When using a different mail server (which apparently does not support DIGEST-MD5) the creation of an inbound email account works as expected.

Expected Behavior

The dialog for selecting the folders should be displayed.

Actual Behavior

The dialog to select the folders flashes very briefly once and the POST request fails with a HTML 500 status.

Possible Fix

To temporarily fix the error I have removed DIGEST-MD5 from the following array in the javanile php-imap2 package: This causes the authentication mechanism to fall back to Basic Authentication and the creation of the email account works. However, this is certainly not the right thing to do!

vendor/javanile/php-imap2/src/Roundcube/ImapClient.php:

 962             // Use best (for security) supported authentication method
 963             $all_methods = array('DIGEST-MD5', 'CRAM-MD5', 'CRAM_MD5', 'PLAIN', 'LOGIN', 'XOAUTH2');

Steps to Reproduce

1. install SuiteCRM
2. login
3. add new Inbound Email Account (no difference whether private or group)
4. Fill in the required fields ( Auth Type: Basic Auth, Protocol: IMAP, use SSL: true)
5. Use a mail server that supports Digest-md5 (in my case: German Internet service provider (netcup))

Context

Basic setup of outgoing mail accounts when setting up SuiteCRM. Without the function to send emails, SuiteCrm is not usable for me.

Maybe related error in 7.14.1: https://github.com/salesagility/SuiteCRM/issues/10256

Your Environment

• SuiteCRM Version used: currently 8.5.0, but have tested different versions since at least 8.3.x
• Browser name and version: Firefox 121.0.1 (64-Bit)
• Environment name and version (e.g. MySQL, PHP 7): 10.11.5-MariaDB (in docker), PHP 8.1.27
• Operating System and version: docker bitnami image (latest): https://hub.docker.com/r/bitnamicharts/suitecrm

Logs

Error Log:

[INFO] Query Execution Time:0.00063419342041016 [DEBUG] Using imap handler class: Imap2Handler [DEBUG] ImapHandlerFactory will using a Imap2Handler [WARN] incorrect service given: [DEBUG] ---------------STARTING FINDOPTIMUMS LOOP---------------- [DEBUG] 1: I-E testing string: {xxxx:993/service=imap/ssl/tls/validate-cert/secure}INBOX [WARN] ImapHandler trying to set a non valid resource az stream. [FATAL] An Imap error detected: "IMAP open error: Can not authenticate to IMAP server: The Auth_SASL package is required for DIGEST-MD5 authentication" [FATAL] An Imap error detected: "IMAP open error | debug data" [FATAL] An Imap error detected: "ImapHandler:open: {xxxx:993\/service=imap\/ssl\/tls\/validate-cert\/secure}INBOX" [FATAL] An Imap error detected: "ImapHandler:open: xxxx@xxxx.de" [FATAL] An Imap error detected: "ImapHandler:open: password is empty: no" [FATAL] An Imap error detected: "ImapHandler:open: 0" [FATAL] An Imap error detected: "IMAP open error | debug data end " [FATAL] ImapHandler trying to use a non valid resource stream. [FATAL] An Imap error detected: "IMAP open error:Can not authenticate to IMAP server: The Auth_SASL package is required for DIGEST-MD5 authentication" [FATAL] ImapHandler trying to use a non valid resource stream. [FATAL] ImapHandler trying to use a non valid resource stream. [FATAL] An Imap error detected: "Can not authenticate to IMAP server: The Auth_SASL package is required for DIGEST-MD5 authentication" [DEBUG] 1: I-E failed using [{***:993/service=imap/ssl/tls/validate-cert/secure}INBOX] - error: Can not authenticate to IMAP server: The Auth_SASL package is required for DIGEST-MD5 authentication

Expected log with different mail server (works despite the IMAP close error):

[INFO] Query Execution Time:0.00055909156799316 [DEBUG] Using imap handler class: Imap2Handler [DEBUG] ImapHandlerFactory will using a Imap2Handler [WARN] incorrect service given: [DEBUG] ---------------STARTING FINDOPTIMUMS LOOP---------------- [DEBUG] 1: I-E testing string: {xxxx:993/service=imap/ssl/tls/validate-cert/secure}INBOX [DEBUG] 1: I-E found good connect using [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}INBOX] [DEBUG] 1: I-E clearing error and alert stacks. [DEBUG] ---------------end FINDOPTIMUMS LOOP---------------- [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Trash] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Sent Items] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Sent] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Junk] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Drafts] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Deleted Items] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}Archives] from UTF7-IMAP into UTF8 [DEBUG] Localization: translating [{xxxx:993/service=imap/ssl/tls/validate-cert/secure}INBOX] from UTF7-IMAP into UTF8 [WARN] Requested folder is not defined [FATAL] An Imap error detected: "IMAP close error"

[chris001]

Can you check and see if you have the php-imap module installed and enabled?

1. Go to Admin, Diagnostic Tool, Output from phpinfo().
2. Click Execute Diagnostic, Download the diagnostic file.
3. In the zip file, view phpinfo.html,.
4. Search module_imap.
5. If not found, install and enable php-imap. It should be able to login with DIGEST-MD5.
6. Post back your results.

[nick-filmriss]

Many thanks for the quick reply. We have probably found the problem. The Docker container provided by Bitnami does not contain the Imap module. It can neither be installed in the container nor will bitnami fix it, as the module is apparently too old: https://github.com/bitnami/containers/issues/51877#issuecomment-1766661039

I will verify again on a local install

[nick-filmriss]

I have now installed everything on Ubuntu 22.04.3 and also made sure that imap is installed:

Unfortunately, the error still exists unchanged.

[chris001]

When you run this command from the command line:

pear channel-update pear.php.net
pear install Auth_SASL
sudo /opt/bitnami/scripts/apache/reload.sh

..and go to Admin, Email, New inbound email account again, what's the behavior?

EDIT: you may need to fully restart apache to get this new package used by PHP. In the container, run: sudo /opt/bitnami/scripts/apache/restart.sh this will also restart the container.

[nick-filmriss]

Thank you very much. Installing it has fixed the error. I can now set up my inbound email inbox.

However, the next error follows immediately, which is already known: https://github.com/salesagility/SuiteCRM-Core/issues/363 My inbox also shows no sender and only (no subject). The fix shown in the issue also fixed it for me.

[chris001]

Excellent @nick-filmriss glad your issues are fixed!

[martinallen-exe]

We've had the same issue that was reported, but just installing pear Auth_SASL didn't solve the issue. We're running on AlmaLinux 8.9 running Plesk - we have been able to install PEAR Auth_SASL manually, and verified this with a simple test script

<?php

require_once('SASL.php');

if (class_exists('Auth_SASL')) {
echo 'PEAR Auth SASL is enabled';
} else {
echo 'PEAR Auth SASL is NOT enabled';
};

This replicates the check that the Javanile/php-imap2 package is doing, and triggers the error message. (we also had to make some changes to include_dirs, and open_basedir in our PHP setup specifically due to Plesk restrictions so that the PEAR files could be accessed)

However, we still got the same error message in SuiteCRM. What we have had to do is directly edit the Javanile\Imap2\Roundcube ImapClient.php to make some changes

We removed the use Javanile\Imap2\Roundcub\Auth_SASL; statement - as this namespace doesn't actually exist in the package! Replaced this with require_once('SASL.php'); so now it loads the PEAR Auth_SASL class instead. Then when creating the Auth_SASL object it was still trying to use the namespace previously referenced, so had to change $auth_sasl = new Auth_SASL; to $auth_sasl = new \Auth_SASL;

Fundamentally issue caused by the package referencing a namespace that doesnt exist, and then because of that its not able to pickup the PEAR Auth_SASL that it should be using.

[Neustradamus]

Attention: DIGEST-MD5 is old and unsecure, it has been replaced by SCRAM-SHA-X.

The ticket for compatibility in SuiteCRM:

• https://github.com/salesagility/SuiteCRM-Core/issues/497

[pgorod]

@Neustradamus do you know how to add that? Is it difficult to make a PR?

[Neustradamus]

@pgorod: SCRAM has been included in Auth_SASL/Auth_SASL2 by @Jehan a long time ago and improved recently by @schengawegga:

• https://github.com/pear/Auth_SASL
• https://github.com/pear/Auth_SASL2

It has been added by @schengawegga in Net_SMTP, a big thanks:

• https://github.com/pear/Net_SMTP

Only -PLUS variants (Channel Binding) are not supported yet and SHA3-512 too.

@schengawegga: Can you reply to @pgorod question?