Rspamd configuration page credential error when based on 7.9.2009 ISO

Hello all,

it seems that when installing Nethserver based on the latest nethserver-7.9.2009-x86_64.iso there is some configuration mistake that leads to the rpsamd webinterface configuration page (h**ps:// not being able to properly login.

I will post the information like passwords unscrambled, they are from a local test installation anyhow.

Opening the page (regardless if opened from Cockpit or standalone, providing credentials) makes the page request two addresses:

  1. GET h**ps://rspamd:UsRr1L_CIAdMgKiK@
    Results in a “403 Forbidden”.

  2. GET h**ps://rspamd:UsRr1L_CIAdMgKiK@
    Results in a “200 OK” and seems to return the expected JSON object.

This results in the webinterface in showing two messages:

  • “local > Request failed: Forbidden”
  • “Request failed”

How to reproduce

  1. Start with nethserver-7.9.2009-x86_64.iso
    No special instructions for installation. Root password has been set, no user created.

  2. Once installation is done, login to cockpit on port 9090 as root.

  3. Set FQDN and install the mail server from the software collection.
    No need to update the packages first (also tested with updating first, no change).

Further information/tests done

  1. Previously used (on another server) nethserver-7.8.2003-x86_64.iso does not show this problem.

  2. Upgrading and updating 7.8.2003 to the latest version available via the “Software Center” does not show this problem, which is the reason why I myself and most other users might not have ran into this yet when using their existing installations.

  3. When upgrading and updating 7.8.2003, it does not matter if you install the mail server package before or after the upgrade/update. Both ways result in a working configuration page.

  4. Using different credentials to open the Rspamd interface (with credentials of a user in domain admin group does not work either). Easiest way:
    You might have to setup a port forwarding to use another port (or reconfigure the Rspamd web port from 980 to something else) if your browser does not allow you to use other credentials. This can be done for example using “socat”:
    socat tcp-listen:9800,reuseaddr,fork tcp:localhost:980

I did find other promising topics but in the end they did not match this specific problem and ended in solutions that do not seem to be related to this behavior.

Hope this helps to identify/solve this problem if other are experiencing this as well (which new users most likely do).



Thank you for your sharing your experiances.

Today I got the same error within a fresh installed server.

  • Installed Nethserver 7.9
  • updated “-”
  • installed active directory
  • created LE-certs
  • created users
  • installed mail server

I logged into Rspamd with the Nethserver Admin and got the same error.

Then I used your tip (h**ps://user_in_domain_admin_group:pass@ and logged in with an additional domain admin user – no success, the error persists.

I am really surprised about this previously unknown error.

Does anybody have an idea?
Sincerely, Marko

I reinstalled the server without updating. Now Rspamd works without errors.
Just now I will update.

Thanks, Marko

ps.: after update NS the error exists again

I identified the problem: The admin-Pw starts with a “:” (colon).
Therefore, the resulting URL is h**ps://user_in_domain_admin_group::anything@ with a double colon in the middle.

After the change of the PW all works fine.
But it remains a mystery to me why I have to change the PW via URL first and it doesn’t just take the PW from the AD user.
Sincerely, Marko

1 Like

Maybe @stephdl has an idea on it.

we store a password in /var/lib/nethserver/secrets/rspamd, does it got a :

EDIT: you stated

could you confirm it that the password start by a :

We should not have the double colon in our password, it is not a true symbol


I confirm it

I also have a # and a . within the PW.
If there are any limitations, that should be communicated and validated. I myself deliberately leave the choice of password to my password manager at random.

If a wrongly chosen (even root) password (according to nomenclature rules by NethServer standards) there must be a mechanism that prevents this. Otherwise one searches oneself silly for possible error sources.

1 Like

Could you send me in pm

cat /var/lib/nethserver/secrets/*


1 Like

after final research with @stephdl we have to point out that passwords must not contain a : to be used with the rspamd webpage UI.

many thanks to @stephdl.


Glad that you were able to figure out a solution to this sub or kind of similar looking problem.
However this is not an actual solution to the original problem reported.

I just test installed 7.9.2009 again and updated before installing the mail server and Rspamd to check if the problem still persists and it actually does.

I also double checked on the passwords generated by the installation and they contain only the characters that were pointed out by @stephdl to be valid characters. These are the actual passwords generated by the system:


What the http-admin log error says ?

Hello Stéphane,

Seems like I missed the notification about the reply in my mails.

I just booted up my test Vm for this and checked the “Web Server” “Logs” page, which is what I think you are referring to when you say http-admin logs. If I should be looking somewhere else please just let me know and I will check.

Actually it seems like there is no log entry about this at all (if I am looking at the correct log files). I looked through all that the dropdown menu let me choose from and made sure I really make an access by cleaning the cache and so on.

My assumption here is that the actual HTTP access is a success, which would explain why nothing shows up in the error log and so on.

As described in my OP this is fairly simple to reproduce with a fresh installation and might be easier to investigate locally for someone who is more familiar with the NethServer components/combination.

Nevertheless, if there is something I can provide in terms of information please just let me know and I will try to provide it for further improvements of the NethServer package.


To help find the issue here’s more detailed info on the error:


You don’t have permission to access /rspamd/actions on this server.

jquery-3.5.1.min.js:2 GET https://rspamd:XMv_8G4QcZEBAR7n@ 403 (Forbidden)

And this error logged on /var/log/httpd-admin/error_log explains it:

[rewrite:error] [pid 32170] [client] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /etc/httpd/htdocs, referer:


Sorry @dnutan not sure about, can you reproduce the bug on new nethserver 7.9 from bare installation ?

yes. Not about the password but about the error messages.


Cc @giacomo @davidep it seems a new installation of ns 7.9 probably due to the miss of nethgui the rspamd UI is broken for an apache followsymlinks directive missing see above

Thank @dnutan


After installing nethgui the two errors are gone.