When editing my user account settings for email I'm doing this:

EMAIL OPTIONS
Email address: mail@domain.tld
[…]

OUTBOUND EMAIL SETTINGS
Mail transfer agent: SMTP
SMTP Server: smtp.domain.tld
Use SMTP Authentication: yes
SMTP Port: 25

INBOUND EMAIL SETTINGS
Mail server address: imap.domain.tld
Mail server protocol: IMAP
Mail server port: 143
Status: Active
User Name: droptix
Password: ********
Monitored Folder: INBOX

Advanced options:
Use SSL :no
Leave messages on server: yes (hum, we're talking about IMAP, do we? ;) )
Import only since last check: no

When pressing the button "Test Settings" the following error occurs:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN

1) Why and what to do now? My email client (Thunderbird) has no problems with these settings.
2) When using IMAP, what for is the option Leave messages on server? Does SugarCRM provide a real IMAP mail client or does it import emails from my IMAP account to the SugarCRM database?

1.)
Mail server address: imap.domain.tld
Mail server protocol: IMAP
Mail server port: 143
Status: Active
User Name: droptix
Password: ********
Monitored Folder: INBOX

In the User Name : use the full mail id (like dropitx@.......tld)

2.) Leave Message On server means if you checked this mail will not be deleted from your mail server.
Yes sugar imports mails from the mail server and store in the database

:)

In the User Name : use the full mail id)

As I expected this didn't work because the user name for authentication is just droptix and not the whole email address droptix@domain.tld. Error:
Can not authenticate to IMAP server: Authentication failed.
Any other ideas? It seems that SugarCRM doesn't want to establish an unsecured (non SSL) connection...

Yes sugar imports mails from the mail server and store in the database
Why that? Wouldn't it be better to use PHPs POP3 and IMAP libraries to create a real webmail client? v.T.i.g.e.r uses them as it should be...

SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
I have the same problem. Any ideas? The login is correct. Is it possible to switch off this safety examination?

I have the same problem. In my case it's related to using Dovecot as pop3 server. Dovecot assumes a connection is secure if remote_ip == local_ip (see explanation to disable_plaintext_auth in http://wiki.dovecot.org/MainConfig#head-41c13e34d97e3a72c90d913602bd09736f276b82).

The solution could be hacking modules/InboundEmail/InboundEmail.php to add another false positive case in function findOptimumSettings.

Regards,
maykel

Hi Maykel,

Shouldn't someone enter it as a "bug" for Sugar? Or a VERY wanted feature to be able to switch this "check" off?
It doesn't happen with POP3 only but also with an IMAP-connection to Dovecot :(

As I am moving my email from a very old pop3-only-server to a more versatile Dovecot IMAP/POP3 solution it would be nice to have a "solution" of some sort within not too long a period.

Bye,
Klaus

Hi All,
We are not able to reproduce this issue here. We tried witout ssl and with ssl, either ways it works. I also applied all the settings which moya mentioned.

If your mail server says that if you are coming from outside IP then you should be using ssl then what is wrong in not using ssl ?? Can one of you try with enable ssl and see it it works ??

Thanks
-Samir Gandhi

I had the same issue with the combination of SugarCRM 5a and DoveCot 1.0.5 both installed on the same Gentoo 2007 server.
Tried to connect using IMAP without SSL.
Using SSL checkbox and enabling SSL (if it is disabled :eek: ) in Dovecot solved the problem.

I've tried different email account with simpler username/password,no help. Anybody have any idea how to fix this?

Sugar 4.5.1i
Trustix 2.2
Apache
PHP5

:confused:

Hello!

This happens when you have the mailserver on a different IP and not using SSL (probably there are other cases as well)

Change line 2259 in modules/InboundEmail/InboundEmail.php
to:

if(!empty($retArray['good'])||1==1) {

Regards,
tronics

When editing my user account settings for email I'm doing this:

EMAIL OPTIONS
Email address: mail@domain.tld
[…]

OUTBOUND EMAIL SETTINGS
Mail transfer agent: SMTP
SMTP Server: smtp.domain.tld
Use SMTP Authentication: yes
SMTP Port: 25

INBOUND EMAIL SETTINGS
Mail server address: imap.domain.tld
Mail server protocol: IMAP
Mail server port: 143
Status: Active
User Name: droptix
Password: ********
Monitored Folder: INBOX

Advanced options:
Use SSL :no
Leave messages on server: yes (hum, we're talking about IMAP, do we? ;) )
Import only since last check: no

When pressing the button "Test Settings" the following error occurs:


1) Why and what to do now? My email client (Thunderbird) has no problems with these settings.
2) When using IMAP, what for is the option Leave messages on server? Does SugarCRM provide a real IMAP mail client or does it import emails from my IMAP account to the SugarCRM database?

I am having the same problem in SugarCRM 5.0b using imap for 1and1. My SugarCRM installation is on a remote server at 1and1. Pop works fine, can't get IMAP to work with any combination of ssl on or off.
The error message i get is SECURITY PROBLEM ... AUTH=PLAIN etc.
Thanks for your help.

Hello!
This happens when you have the mailserver on a different IP and not using SSL (probably there are other cases as well)
Change line 2259 in modules/InboundEmail/InboundEmail.php
to:
if(!empty($retArray['good'])||1==1) {


Thanks, that worked great! (in my file i think it was line 2260 but not hard to figure out).

I find it kind of absurd myself that they would choose to disallow the configuration of an email account because they deem my server to be too insecure because it merely accepts PLAIN as an authentication method for POP3. Even though most clients use MD5 anyway. It's rather beside the point though how (in)secure my mail server is. It's rather pretentious of them to prefer to take some kind of "moral high ground" vs. just letting it work. A warning prompt or a master default setting that needs to be changed would be a much more reasonable approach than letting someone's personal philosophy impede functionality.

This is not a bug in SugarCRM but rather in the IMAP implementation of php.

when using the function imap_open it results in the imap error code:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN

the imap server supports different authentication schemes and php does not like it, if it one of them is plain password authentication. i think this is very weird behavior.

i resolved this issue by editing
/etc/dovecot/dovecot.conf
and altering authentication:
auth default {
...
mechanisms = login gssapi
...
}

In my own mail logs, I see that sugarcrm is sending passwords to the IMAP server in CRAM-MD5, which my server is not configured to receive. So I see aborted logins and am unable to receive mail (using 5.0.0e, btw). In theory, we should be able to choose at least from some of the following: plain digest-md5 cram-md5 ntlm rpa apop gssap, at least three or four of the most common. Especially considering that everybody has a different setup. Why force us to use CRAM-MD5? It just limits the functionality of sugacrm.

So, does anybody have any clues on this? Is there anyway to customize how sugar sends the authentication information?

Has anyone solved this? I am having the same issue and tried the "1==1" thing above and no go. (Mine was in line 400 something though, nothing like it around 2259. Perhaps my version? 4.5.1h?)
Settings:
mail server: mail.solutioncenter.biz
protocol: pop3
port: 110
And the only checkbox marked is "Leave Messages On Server"

When I click on "Test Settings" I get what everyone else here is getting:
"SECURITY PROBLEM: insecure server advertised AUTH=PLAIN"

I tried the same exact settings in Thunderbird (pop3, 110, no ssl/tls/etc) and it worked perfectly. The server is exchange, not dovecot, and I have a hard time believing it's a bug in exchange server, perhaps a setting on exchange server?

Thanks!

No reply? We've tried everything, it must be a Sugar bug as I doubt very much there is a bug in Exchange server over Sugar.

I got Imap working on 5.0.0e but when I moved to 5.0.0f this security error came up again.

Hello!

This happens when you have the mailserver on a different IP and not using SSL (probably there are other cases as well)

Change line 2259 in modules/InboundEmail/InboundEmail.php
to:

if(!empty($retArray['good'])||1==1) {

Regards,
tronics

I am getting this error. What line is the one above supposed to replace? There is nothing on that line in my document or anything close to it.

Hi,

I think this problem is caused because php is interpreting a warning as an error, from /usr/share/doc/libc-client2002edebian/FAQ.txt.gz (on Debian Etch):

"The SECURITY PROBLEM came about because the server advertised
the AUTH=PLAIN SASL authentication mechanism outside of a
TLS-encrypted session, in violation of RFC 2595. This message
is just a warning, and in fact occurred after the server had
disconnected."

So, it should be safe to just ignore this error on Sugar, so what I did was to insert the following code into modules/InboundEmail/InboundEmail.php:


} elseif($errors == 'SECURITY PROBLEM: insecure server advertised AUTH=PLAIN') { // false positive
$GLOBALS['log']->debug($l.': I-E found good connect, but with SECURITY PROBLEM bug using ['.$serviceTest.']');
$retArray['good'][$k] = $returnService[$k];
$foundGoodConnection = true;


Just after:


} elseif($errors == 'Mailbox is empty') { // false positive
$GLOBALS['log']->debug($l.': I-E found good connect, but empty mailbox using ['.$serviceTest.']');
$retArray['good'][$k] = $returnService[$k];
$foundGoodConnection = true;


In the function findOptimumSettings on that file.

I'm using sugar Version 5.2.0 (Build 5380).

Hope that helps,

tronics, this was exactly our problem and your solution worked great!

FWIW, we are on SugarCRM Community edition Version 5.1.0b (Build 4905).

It was line 2,482 in modules/InboundEmail/InboundEmail.php
where we had to change the line to:

if(!empty($retArray['good'])||1==1) {

How would I do this for v5.5 community? I don't see an InboundEmail.php anywhere so far.