Query on mbsync for macOS

The wheels grind slowly here at Irreal but they do grind. I’m in the final stages of moving my email to Emacs in my neverending quest to run everything in Emacs. My specific intent is to run mu4e as my client and have mbsync take care of retrieving and syncing emails for my Apple mail account.

Sadly, I can’t get mbsync to connect with the Apple IMAP server. The relevant part of my .mbsyncrc is

IMAPAccount icloud
Host IMAP.mail.me.com
User XXX
PassCmd "security find-generic-password -s mbsync-icloud-password -w"
Port 993
SSLVersions TLSv1.2
AuthMechs Login
#CertificateFile /usr/local/share/certs/ca-bundle.crt

when I run this with mbsync -D icloud, I get

Logging in...
>>> 1 LOGIN <user> <pass>
1 NO [AUTHENTICATIONFAILED] Authentication failed
IMAP command 'LOGIN <user> <pass>' returned an error: NO [AUTHENTICATIONFAILED] Authentication failed

It makes no difference whether or not the CertificateFile line in the configuration is commented out. The security function on the PassCmd line does return my icloud password and even entering the password itself on a PASS line doesn’t work. It makes no difference whether the USER line is just my user name or my full email address.

I’ve consulted DuckDuckGo but I can’t find any examples of setting things up for macOS. If anyone has a working mbsync configuration for talking to Apple’s IMAP server, I’d really like to hear from you. Please leave a comment if you have any wisdom to impart.

UPDATE [2017-03-25 Sat 12:54] Andy Bold figured out the main problem. Since Sierra (I think) introduced two-factor authentication, you need to generate an application specific password for this sort of thing. Once I did that, mbsync connected to the Apple IMAP server without a problem. Now I’m dealing with the notoriously finicky Apple Mail service to get things downloaded. I’ll write up my adventures when I’m done.

This entry was posted in General and tagged . Bookmark the permalink.
  • krisbrowne42

    When I comment out SSLType, AuthMechs, SSLVersions, I get farther in the process, it looks like it finishes the authentication, though it is still stalling out in the handshake process. Going to try mixing and matching some variations to see if I can get it behaving.

    • jcs

      Looks like it hangs before the authentication when I try that. Thanks for your input. Let me know if you have any success.

      • krisbrowne42

        Narrowing it down with AuthMech PLAIN goes further (apparently that's trumped by atoken unless you explicitly pick it) but then it fails with a similar message to what you started with.

        • jcs

          I got a bit further by uncommenting SSLType and SSLVersions and setting AuthMechs to *.

  • andybold

    OK. I managed to get this working by doing the following:

    1) Compiled the latest isync from source (isync 1.3.0)
    2) I then realised that I'd locked myself out of my Apple ID when I went to appleid.apple.com to create a new app-specific password. So that's worth checking...
    3) After resetting my iCloud password (1Password to the rescue with my 2FA recovery key), I created a new app specific password for mbsync. (All my app specific passwords have gone, probably as part of the account lock and reset.)
    4) mbsync worked first time once I'd done that. Settings are exactly as above, though worth noting that my user name has the @me.com domain name, and I had 'Pass' in my .mbsyncrc to keep things simple.

    I think the key here was resetting the password. Whatever I'd done to lock myself out (probably pinging Apple Imap servers with bad SASL auth options), the reset did the trick.

    And now I'm all out of reasons to not waste^Winvest my evening in investigating mu4e.


    Edit to add: I'm on Sierra, and compiled isync using openssl from Homebrew. I.e., with "./configure --with-ssl=/usr/local/opt/openssl".

    • jcs

      Ah. I'd forgotten all about the Apple application specific password thing. I'm sure that's the problem. Thanks for the input.

      • andybold

        You're very welcome.

        What was odd was that I set up an app specific password before I started digging into this, and that failed with the same 'AUTHENTICATION FAILED' errors that you saw. It was only when I went back into appleid to start fresh and create a new password that I found the account locked. As soon as I reset my password, and then created a new app password, that everything started to work.