Outdated mailspring-provider-settings for @ucsd.edu accounts

Bug Reports
#1

Description

Can’t connect with a @ucsd.edu account since the template in mailspring-provider-settings.json is outdated.

To Reproduce…

Steps to reproduce the behavior:

  1. Under menu, pick “Add Account”
  2. Select Gmail or G Suite (since mine is a Google Workspace account)
  3. Pick my ucsd account on the Google OAuth page and allow access

Expected Behavior

My account gets added to Mailspring.

Screenshots

image
image788×471 19.1 KB

Console log:

Using Mailspring Template: {
  "imap_host": "mail.ucsd.edu",
  "imap_port": "993",
  "imap_security": "SSL / TLS",
  "imap_user_format": "email-without-domain",
  "smtp_host": "smtp.ucsd.edu",
  "smtp_port": "587",
  "smtp_security": "STARTTLS",
  "smtp_user_format": "email"
}

Setup

  • OS and Version: Windows 10 Home 21H1 build 19043.1645
    • Installation Method: installer
  • Mailspring Version: 1.10.3-a476c230

Additional Context

I think UCSD switched to Google Workspace and Office 365 Exchange a while ago, and the mail servers in mailspring-provider-settings.json are no longer used.

https://blink.ucsd.edu/technology/email/tasks/clients/

I think simply deleting the UCSD template from mailspring-provider-settings.json will solve the issue. People with a @ucsd.edu account will use either the Gmail or the Office 365 option to set up their account (which works for my accounts at other institutions that use Google Workspace).

#2

I did a custom build and removed the UCSD template. Now I get this:

"Using Mailspring Template: {
  "imap_host": "imap.gmail.com",
  "imap_port": "993",
  "imap_security": "SSL / TLS",
  "imap_user_format": "email",
  "smtp_host": "smtp.gmail.com",
  "smtp_port": "465",
  "smtp_security": "SSL / TLS",
  "smtp_user_format": "email"
}"

...

Error: Gmail IMAP is not enabled. Visit Gmail settings to turn it on. (IMAP)
    at ChildProcess.<anonymous> (file:///C:/Users/Yichi Yang/Documents/Others/Mailspring/app/src/mailsync-process.ts:228:27)
    at ChildProcess.emit (node:events:390:28)
    at ChildProcess.emit (node:domain:475:12)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) {
  rawLog: '----------IMAP----------\n' +
    'connect <mailcore::IMAPSession:00CFF304>\r\n' +
    '* OK Gimap ready for requests from 76.87.62.170 bc25mb166984290oib\r\n' +
    'ssl connect imap.gmail.com 993 2\r\n' +
    'OpenSSL version: OpenSSL 1.1.0f  25 May 2017\r\n' +
    '1 CAPABILITY\r\n' +
    '* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH\r\n' +
    '1 OK Thats all she wrote! bc25mb166984290oib\r\n' +
    'connect ok\r\n' +
    'login\r\n' +
    '2 AUTHENTICATE XOAUTH2 <SASL XOAUTH2 Client Response>\r\n' +
    '+ eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==\r\n' +
    '\r\n' +
    '2 NO [ALERT] IMAP access is disabled for this mail client for your domain. Please contact your domain administrator for questions about this feature. (Failure)\r\n'

The SASL XOAUTH2 Client Response decodes to 'user=<my-username>@ucsd.edu\x01auth=Bearer <OAUTH2 TOEKN>\x01\x01' and looks well-formed to me. The next line, however, decodes to: '{"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}'.

So I guess the OAuth2 token we used to authenticate with the IMAP server is somehow not valid?

The weird part is I have IMAP enabled and apparently Thunderbird works fine with this account (IMAP).

Edit: I tried connecting my other Google Workspace .edu account (managed by another institution) using the dev build. It works fine and reports the same template (the imap.gmail.com one) in console logs. I guess it has something to do with Google Workspace settings specific to each institution? I would appreciate pointers to how I can collect more information and help debug.

This might be helpful:

#3

I am really unsure where this comes from (as I mainly work on the Mailspring frontend). I think that you can allow/block certain applications for the full workspace. Maybe this is the case here if the reported error is true:

#4

I tried Thunderbird (authenticate with OAuth2) and that worked for me, so I think (at least in some cases?) IMAP isn’t disabled.

I looked at the Thunderbird IMAP log, but the interesting part ( things after AUTHENTICATE XOAUTH2) was replaced with *** for security reasons (and in general I don’t think there’s an easy way for me to check if a OAuth2 token is valid) so that wasn’t helpful. Maybe Thunderbird is using a slightly different authentication flow under the hood?