[GH-ISSUE #553] Why am I getting "401 Unauthorized" jmap response? #400

New issue

Closed

opened 2026-02-25 21:34:56 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 21:34:56 +03:00

Owner

Originally created by @smitgd on GitHub (Feb 17, 2022).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/553

💬 Question

I can now see what is being sent by cypht and cyrus when I attempt to setup a jmap account. With the same server and userid/password it works fine with an IMAP account. But it appears that authentication fails when I put in the same userid and password and click save with JMAP:

GET /jmap/.well-known/jmap/ HTTP/1.1
Host: wally.dbnet.lan
User-Agent: hm3
Authorization: Basic Z2V...
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json
Accept: application/json

HTTP/1.1 401 Unauthorized
Date: Thu, 17 Feb 2022 00:38:17 GMT
Strict-Transport-Security: max-age=600
Vary: Accept-Encoding
WWW-Authenticate: Negotiate
WWW-Authenticate: Digest nonce="S80OufOzB6p8Md22XwiBJku+blFiF0uAWkkWTBKNn9Q=",realm="wally.dbnet.lan",qop="auth",charset=utf-8,algorithm=md5-sess
WWW-Authenticate: Basic realm="wally.dbnet.lan"
Content-Type: text/html; charset=utf-8
Content-Length: 441

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1><p>Authentication failed</p><hr><address>Cyrus-HTTP/3.4.3 Cyrus-SASL/2.1.27 Lib/XML2.9.12 Jansson/2.13.1 OpenSSL/1.1.1l Zlib/1.2.11 Brotli/1.0.9 Zstd/1.5.0 Xapian/1.4.18 LibiCal/3.0 ICU4C/67.1 SQLite/3.34.1 Server at wally.dbnet.lan Port </address></body></html>

I am running cypht and apache on a different host on local network than where the cyrus server resides (wally.dbnet.lan). I think I have enabled the "conversation db" as is required. But I don't think that would affect the basic authentication.
I tried to use the default cyrus-imap from fedora 34 since the version was new enough to support JMAP. However, it didn't work at all and after finally looking at "cyr_buildinfo" I see that jmap is not compiled into the rpm. So I had to build cyrus-imap from source.

Originally created by @smitgd on GitHub (Feb 17, 2022). Original GitHub issue: https://github.com/cypht-org/cypht/issues/553 ## 💬 Question I can now see what is being sent by cypht and cyrus when I attempt to setup a jmap account. With the same server and userid/password it works fine with an IMAP account. But it appears that authentication fails when I put in the same userid and password and click save with JMAP: ``` GET /jmap/.well-known/jmap/ HTTP/1.1 Host: wally.dbnet.lan User-Agent: hm3 Authorization: Basic Z2V... Cache-Control: no-cache, no-store, must-revalidate Content-Type: application/json Accept: application/json HTTP/1.1 401 Unauthorized Date: Thu, 17 Feb 2022 00:38:17 GMT Strict-Transport-Security: max-age=600 Vary: Accept-Encoding WWW-Authenticate: Negotiate WWW-Authenticate: Digest nonce="S80OufOzB6p8Md22XwiBJku+blFiF0uAWkkWTBKNn9Q=",realm="wally.dbnet.lan",qop="auth",charset=utf-8,algorithm=md5-sess WWW-Authenticate: Basic realm="wally.dbnet.lan" Content-Type: text/html; charset=utf-8 Content-Length: 441 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1><p>Authentication failed</p><hr><address>Cyrus-HTTP/3.4.3 Cyrus-SASL/2.1.27 Lib/XML2.9.12 Jansson/2.13.1 OpenSSL/1.1.1l Zlib/1.2.11 Brotli/1.0.9 Zstd/1.5.0 Xapian/1.4.18 LibiCal/3.0 ICU4C/67.1 SQLite/3.34.1 Server at wally.dbnet.lan Port </address></body></html> ``` I am running cypht and apache on a different host on local network than where the cyrus server resides (wally.dbnet.lan). I think I have enabled the "conversation db" as is required. But I don't think that would affect the basic authentication. I tried to use the default cyrus-imap from fedora 34 since the version was new enough to support JMAP. However, it didn't work at all and after finally looking at "cyr_buildinfo" I see that jmap is not compiled into the rpm. So I had to build cyrus-imap from source.

kerem closed this issue

2026-02-25 21:34:56 +03:00

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@smitgd commented on GitHub (Feb 21, 2022):

After resolving the authentication issue in https://github.com/cyrusimap/cyrus-imapd/issues/3929 I was now getting 404 error on the url in cypht when clicking test. My error was I had setup the jmap account url as http://server/jmap/ instead of just http://server/

@smitgd commented on GitHub (Feb 21, 2022): After resolving the authentication issue in https://github.com/cyrusimap/cyrus-imapd/issues/3929 I was now getting 404 error on the url in cypht when clicking test. My error was I had setup the jmap account url as ```http://server/jmap/``` instead of just ```http://server/```

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@jasonmunro commented on GitHub (Feb 22, 2022):

@smitgd Glad you got this sorted and thanks for posting - it might help someone else with similar issues. I am not aware of many users using jmap yet so there are likely some rough edges :) Please let us know if you run into trouble!

@jasonmunro commented on GitHub (Feb 22, 2022): @smitgd Glad you got this sorted and thanks for posting - it might help someone else with similar issues. I am not aware of many users using jmap yet so there are likely some rough edges :) Please let us know if you run into trouble!

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@smitgd commented on GitHub (Feb 23, 2022):

@jasonmunro Thanks for the reply. Not sure why I had so must trouble getting it to work but I have pretty much zero experience using http and json based protocols with authentication requirements.
One thing I noticed is that the JMAP RFC says that it MUST only be sent with TLS (https). However Cyrus and Cypht also work with port 80 and unencrypted JMAP (http). Seems technically a violation of the RFC but definitely handy for debug.

@smitgd commented on GitHub (Feb 23, 2022): @jasonmunro Thanks for the reply. Not sure why I had so must trouble getting it to work but I have pretty much zero experience using http and json based protocols with authentication requirements. One thing I noticed is that the JMAP RFC says that it MUST only be sent with TLS (https). However Cyrus and Cypht also work with port 80 and unencrypted JMAP (http). Seems technically a violation of the RFC but definitely handy for debug.

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@jasonmunro commented on GitHub (Feb 23, 2022):

Interesting observation! It seems reasonably to adhere to the RFC. However as a client in the server-client relationship we want to be flexible in what we accept (in the hopes that servers are inflexible in what they present). Sadly over the years I have coded many exceptions to the protocol rules to make Cypht work with more providers. As an example: https://github.com/jasonmunro/cypht/blob/master/modules/imap/hm-imap.php#L503 ("hashchildren" is invalid). We do accept plain text IMAP connections, consider a local IMAP server over localhost, there is really no reason for TLS. So for now I think we continue to accept port 80 JMAP. FYI you can get a limited amount of the IMAP conversation without sniffing packets by placing the following in the code:

elog($imap->show_debug(true, true))

You need to be in Cypht debug mode for this to work and of course the $imap object must be in scope. Could be helpful if you run into JMAP issues. Thanks again for the feedback!

@jasonmunro commented on GitHub (Feb 23, 2022): Interesting observation! It seems reasonably to adhere to the RFC. However as a client in the server-client relationship we want to be flexible in what we accept (in the hopes that servers are inflexible in what they present). Sadly over the years I have coded many exceptions to the protocol rules to make Cypht work with more providers. As an example: https://github.com/jasonmunro/cypht/blob/master/modules/imap/hm-imap.php#L503 ("hashchildren" is invalid). We do accept plain text IMAP connections, consider a local IMAP server over localhost, there is really no reason for TLS. So for now I think we continue to accept port 80 JMAP. FYI you can get a limited amount of the IMAP conversation without sniffing packets by placing the following in the code: ``` elog($imap->show_debug(true, true)) ``` You need to be in Cypht debug mode for this to work and of course the $imap object must be in scope. Could be helpful if you run into JMAP issues. Thanks again for the feedback!

kerem referenced this issue

2026-02-25 21:36:21 +03:00

[PR #463] [MERGED] Help links in emails (ex.: to unsubscribe from a mailing list) start email from current account #829