#!/bin/cat
$Id: FAQ.OnlineUI.txt,v 1.44 2023/05/09 13:05:44 gilles Exp gilles $

This document is also available online at
https://imapsync.lamiral.info/FAQ.d/
https://imapsync.lamiral.info/FAQ.d/FAQ.OnlineUI.txt

=====================================================================
   Imapsync tips about the online visual user interfaces
   https://imapsync.lamiral.info/X/
=====================================================================

Questions answered in this FAQ are:

Q. Can I launch several imap synchronizations on the visual 
   user interface /X?

Q. How secure is the online visual user interface /X?

Q. Does the online service store any sensitive information 
   like my passwords?

Q. Where is the entered data on the website be stored?

Q. I want to switch from the visual interface /X to the 
   imapsync command line or to the script examples
   https://imapsync.lamiral.info/#DOC_BASIC
   What should I know?

Q. Shall I have issues when the browser times out?
   What happens if the browser connection is closed for whatever reason?

Q. Shall I have issues when the webserver times out? What happens
   if the web server closes the connection for whatever reason?

Q. The sync stalls at the beginning, just after a line like:
   "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
   What is the problem?

Q. The synchronization fails with the error message like:
   Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED

Now the questions again with their answers.

=====================================================================
Q. Can I launch several imap synchronizations on the visual 
   user interface /X?

A. Yes. Open several tabs/windows on your browser and fill each one
   with different credentials.

=====================================================================
Q. How secure is the online visual user interface /X?

A0. Well, I don't know if asking the provider whether his online
service is secure or not would be of any interest.
Let's do it anyway, you'll be the judge.

A1. Some figures

Date of this report: 20 February 2023

The online imapsync service /X started 9 January 2017,
6 years ago (2233 days of service, days_since_first_use_all_times).

On average in 2022, /X has 138 users per day, each user lunches on average
3 account migrations, from just one launch to many (hundreds).

The total volume /X transferred in 2022 is around 102 TiB coming 
from nearly 164 000 imap account migrations and 306 million email messages.
Data provided from commands "summary_display 2022" and "stat_all 2022".


A2. Pros & Cons

The online imapsync service /X runs on HTTPS only, with a letsencrypt
certificate, an up to date certificate overall rated "A+" at
https://www.ssllabs.com/ssltest/analyze.html?d=imapsync.lamiral.info

Because of the HTTPS usage, what the users enter in their browser, the
imap logins and passwords, can't be eavesdropped on the network.

Imapsync itself takes care of encryption for the imap sessions, if
possible. First, imapsync tries to use SSL on port 993, then TLS on
port 143 if the servers announce TLS, then no encryption at all.
Concerning encryption, what is done with the source imap server host1
is independent of what is done with the destination imap server host2.

On the date of 20 February 2023, there is no security problem detected
or reported to me (Gilles LAMIRAL), so far.

Concerning the Log4j threats, the imapsync server doesn't use Log4j at
all, so it should be safe about this issue.

Feel free to attack the service and feel free to report any hole
encountered. Have in mind that I can watch what you do from the
server-side, and then take measures if the service suffers from your
acts. Droping me a note before will be fair play and I will let you act
as harsh as you can.

As the owner of the service, it could have been 700 000 pairs of
credentials collected and nearly 340 terabytes of email messages.
That's massive. I haven't kept them but I can't prove I haven't. It's
just trust, like nearly every online service in the universe.

Concerning imapsync transfers, the imap server certificates are not
checked for authenticity by default because too many imap servers are
crappy configured regarding their certified certificates.

This default behavior is chosen like this because users of /X
want their emails transferred, instead of being not transferred
because of an incompetent or absent imap server sysadmin.

I admit that this part, checking imap ssl/tls certificates,
could be improved from my side by including well known
certificates directly in imapsync.

If an imap server doesn't honor ssl nor tls, then logins, passwords
and everything will go clear text during the imap transfers.  That's
not good at all! But what "comforts" me is that if an imap server does
only clear text transfers, then it's also true for all the imap
sessions the account owner encounters, imapsync is just one of them;
the imap servers are then always unsecured for any imap software
client.

Last point, who could be sure that no cracker cracked the online hosts
and that he isn't currently sniffing the credentials?

No one! I'm not sure myself, even if I do take care of that
possibility. So changing the imap accounts passwords after
the sync is a safe and recommended practice! You can even
change the password just after imapsync has started its job, 
just after a successful login. This way you know the previously 
given password is no longer working just after imapsync has
started its job.

=====================================================================
Q. Does the online service store any sensitive information 
   like my passwords?

A. No. The online passwords are kept by your browser. The goal is that
   the next time you run a sync from your browser, all the parameters
   are already there without having to re-enter them.  The save is
   done when you click on the "Sync or resync" green button. So, if
   you don't want your browser to keep your password, enter a wrong
   one or empty the password field and click on the "Sync or resync"
   green button, the wrong password will be saved in your browser and
   no sync will be done, since a correct login is mandatory to do
   anything on your mailboxes.

=====================================================================
Q. Where is the entered data on the website stored?

A. The logfile of the imapsync session, the output you see along the
   sync, also all dumped out at the end of a sync, is kept for a while
   in a dedicated temporary directory.  It helps me diagnosis what
   happened when you contact me for a problem. I also extract data to
   calculate statistics at the end of the month.

=====================================================================
Q. I want to switch from the visual interface /X to the 
   imapsync command line or to the script examples
   https://imapsync.lamiral.info/#DOC_BASIC
   What should I know?

A. Let's do some ascii art. 
   The visual interface looks roughly like this, for the textfields input part:

+------------------------------------------+------------------------------------------+
|          IMAP source Mailbox             |        IMAP destination Mailbox          |
|                                          |                                          |
| Login (usually an email address)         | Login (usually an email address)         |
|                                          |                                          |
|    test1                                 |    test2                                 |
|                                          |                                          |
| Password                                 | Password                                 |
|                                          |                                          |
|    secret1                               |    secret2                               |
|                                          |                                          |
| IMAP Server hostname (or its IP address) | IMAP Server hostname (or its IP address) |
|                                          |                                          |
|     test1.lamiral.info                   |     test2.lamiral.info                   |
|                                          |                                          |
+------------------------------------------+------------------------------------------+

Notice the 6 examples values I put in the previous "picture":

* test1
* secret1
* test1.lamiral.info

* test2
* secret2
* test2.lamiral.info


The corresponding imapsync command line on Windows is:

imapsync.exe  --host1 "test1.lamiral.info"  --user1 "test1" --password1  "secret1"  ^
              --host2 "test2.lamiral.info"  --user2 "test2" --password2  "secret2"

The order of the  parameters is whatever you want as long as you respect each pair 
like: --optionname "value"

There is no need to type this in a command prompt window, just use the example script 
https://imapsync.lamiral.info/examples/imapsync_example.bat


The corresponding imapsync command line on Linux is:

imapsync  --host1 "test1.lamiral.info"  --user1 "test1" --password1  "secret1"  \
          --host2 "test2.lamiral.info"  --user2 "test2" --password2  "secret2"

There is no need to type this in a command prompt window, just use the example script 
https://imapsync.lamiral.info/examples/imapsync_example.sh

=====================================================================
Q. Shall I have issues with the browser timing out?
   What happens if the browser connection is closed for whatever reason?

A. A browser connection closed closes also the imapsync process, 
   ie, the sync is ended right away.

Further comments on this behavior.

When using the /X interface there are three connections.
One connection is the Browser/WebServer connection,
the two other connections are the WebServer/ImapServers
connections (imapsync stuff).

If the Browser/WebServer connection timeouts or ends,
the imapsync sync is also ended immediately by the remote
Apache HTTPS server. Technically, Apache sends a TERM signal
to the imapsync process, then wait some seconds before
sending a KILL signal if the imapsync process is still alive.

You can relaunch the sync with the "Sync!" button, at any time.
If the "Sync!" button is gray/inactive then just reload
the page (F5 or similar), and reenter the credentials.

If the interface tells you that the sync is already going on,
it may be that the sync is running from another browser or place.
You can stop this sync with the "Abort!" button from any /X
tab/window, even from another browser or place. To be able
to abort with success, you have to give the same account
parameters, same credentials, or imapsync will ignore the demand.

In other words, you can try safely to launch several parallel
runs between the same mailboxes. Open a new tab/windows with /X,
and start the same sync. It's safe, the /X page will say that
there is already one sync running and it will present
the logfile running the sync like a "tail -f" command (isn't that magic?).

=====================================================================
Q. Shall I have issues when the webserver times out? What happens
   if the web server closes the connection for whatever reason?

A. If the webserver closes the connection then usually it also 
   kills the imapsync process and the imap connections as well.

The current webserver timeout at 
https://imapsync.lamiral.info/X/
is 3600 secondes, one hour.

=====================================================================
Q. The sync stalls at the beginning, just after a line like:
   "Host1: xxx says it has CAPABILITY for AUTHENTICATE LOGIN"
   What is the problem?

A. I've seen this issue on /X with the imap server
   CommuniGate Pro IMAP Server 6.0.11

The issue looks related to special characters in the password.
Solution for now: change the password, keep only standard (ASCII) 
alphanumeric characters ABC-YZ abc-yz 012-89.

=====================================================================
Q. The synchronization fails with the error message like:
   Err 1/1: Host1 failure: Error login on [10.1.161.155] with user [webmaster@truc.com] auth [LOGIN]: 2 NO [ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED

A. The message "[ALERT] LOGIN DENIED -- COUNTRY IS BLACKLISTED" comes directly 
   from the IMAP server at 10.1.161.155

It looks like that the 10.1.161.155 imap server filters incoming 
connexions based on their IPS. In that case, here are the current 
IPs of the imapsync online service (September 2022):

ks5.lamiral.info      has address      91.121.221.224
ks5ipv6.lamiral.info  has IPv6 address 2001:41d0:2:84e0::1
ks6.lamiral.info      has address      5.39.87.81
ks6ipv6.lamiral.info  has IPv6 address 2001:41d0:8:9951::1
ks7.lamiral.info      has address      5.135.177.225
ks7ipv6.lamiral.info  has IPv6 address 2001:41d0:8:b8e1::1
ks8.lamiral.info      has address      5.135.176.149
ks8ipv6.lamiral.info  has IPv6 address 2001:41d0:8:b795::1
i050.lamiral.info     has address      213.32.72.139
i050ipv6.lamiral.info has IPv6 address 2001:41d0:302:1000::155d
vp3.lamiral.info      has address      51.178.81.27
vp3ipv6.lamiral.info  has IPv6 address 2001:41d0:404:200::4d81
vp4.lamiral.info      has address      51.38.34.201
vp4ipv6.lamiral.info  has IPv6 address 2001:41d0:305:2100::4c46

The imapsync online service may contact your imap server with one
or more of those IP addresses.

CPhulk of Cpannel has a buildin country block that can cause this behavior.
Later on you may encountered issues with maximum sessions per ip.
You can change that within cPannel.

https://support.cpanel.net/hc/en-us/articles/4406663082519-What-is-cPHulk-
https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/

=====================================================================
=====================================================================
