Roundcubemail Forbidden - You don't have permission to access /webmail/ on this server

jose_manuel_Insausti · May 27, 2017, 7:46am

NethServer release 7.3.1611
RoundCubeMail

I have installed Roundcube and SOGo.
I can access without problems from the local network.
From the outside I can access sogo. But when entering roudcube gives me the following error.

Forbidden - You don’t have permission to access /webmail/ on this server.

jose_manuel_Insausti · May 27, 2017, 8:58am

I answer myself.

Looking at my file /etc/httpd/config.d/roundcubemail.conf
I had the following

<Directory /usr/share/roundcubemail/>

# Apache 2.4
Require ip 127.0.0.1 192.168.1.0/255.255.255.0

<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
# Allow from 127.0.0.1 192.168.1.0/255.255.255.0

I have modified it with the following …

<Directory /usr/share/roundcubemail/>

# Apache 2.4
# Require ip 127.0.0.1 192.168.1.0/255.255.255.0
Require all granted

<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from all
# Allow from 127.0.0.1 192.168.1.0/255.255.255.0

stephdl · May 28, 2017, 7:38am

you are discovering the template system, for the next update, your changes will be rewritten…but you find a bug

after a clean install

[root@NS7DEV8 ~]# config show roundcubemail 
roundcubemail=configuration
    PluginsList=managesieve,markasjunk
    Server=localhost
    access=green,red

and we can read in /etc/e-smith/templates/etc/httpd/conf.d/roundcubemail.conf/10base

<IfModule mod_authz_core.c>
    # Apache 2.4
    Require {$OUT .= ( $roundcubemail{access} eq "public" ) ? "all granted" : "ip $localAccess" ;}
</IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from all
        Allow from {$OUT .= ( $roundcubemail{access} eq "public" ) ? "all" : $localAccess ;}
    </IfModule>

we will never have a public access

@giacomo what do you think ?

transocean · May 28, 2017, 8:21am

Hi,

same problem here. Nethserver works in a DMZ. I have no access from my internal local network.
But when i put my internal network 192.168.x.x via GUI to the trusted networks, everthing works fine.

Regards

Uwe

stephdl · May 28, 2017, 9:56am

sorry git blame direct to @davidep

davidep · May 29, 2017, 7:00am

You’re right, that commit should not be there because roundcube is not a “service” record, it’s a “configuration”.

We must revert it. However at this point we must either

fix the template to support both DB values: “public” and “red,green”, or
write down a DB migrate fragment that fixes the DB.

I’d go with 2.

giacomo · May 29, 2017, 7:21am

I’d like to remove the access prop, since no other web application has something similar.

davidep · May 29, 2017, 7:34am

Bug filed
https://github.com/NethServer/dev/issues/5304

Edit: fix available from nethserver-testing

yum --enablerepo=nethserver-testing update nethserver-roundcubemail

stephdl · May 29, 2017, 7:54am

I disagree…any web application must have an access property. For example in a school you might have interest to get an internal webmail.

Same for any of my web applications, eg php*admin…you are restricted to the lan.

Yes davidep, now a migrate fragment is needed to set the same property value everywhere

davidep · May 29, 2017, 8:24am

Did you found similar cases? I mean, in March I massively migrated the “access” prop to the new comma separated form, compatible with “Network services” page. As we’ve seen here, despite the code analysis I performed at that time, there can be some regressions/bugs.

Did you find other web applications that suffer of the same issue?

stephdl · May 29, 2017, 4:20pm

I did not see others, but it occurs for new installations…I found myself a bug in wordpress this wk…we are not machines…only humans

davidep · June 1, 2017, 4:20pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.