Articles in this section

Webmail is not working on a Plesk server when ModSecurity with OWASP or Comodo rule set is enabled: Error when communicating with the server

Gabriel Aznarez
Updated
kb: technical Plesk Obsidian for Linux ABT: Group A

Applicable to:

  • Plesk Obsidian for Linux

Symptoms

  • When sending or replying to an email via Roundcube/Horde webmail, the operation is spinning with "Sending message..." or fails with one of the following errors:

    PLESK_ERROR: Forbidden
    You don't have permission to access /imp/compose.php on this server

    PLESK_ERROR: Error when communicating with the server

  • OWASP or Comodo ModSecurity rule set is selected in Plesk at Tools & Settings > Web Application Firewall (ModSecurity) > Settings.

  • One of the following error messages is logged in /var/log/modsec_audit.log:

    CONFIG_TEXT: [error] [client 203.0.113.2] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "70"] [msg "Multipart parser detected a possible unmatched boundary."] ...

    CONFIG_TEXT: [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257"] ..., referer: http://webmail.example.com/imp/dynamic.php?page=mailbox

    CONFIG_TEXT: [client 203.0.113.2] ModSecurity: Warning. Pattern match ...

Cause

ModSecurity Web Application Firewall is enabled with a strict rule set such as OWASP, Comodo or a custom rule set from Imunify360. These rule sets may block some webmail features.

Resolution

  1. Log in to Plesk.

  2. Go to Tools & Settings > Web Application Firewall (ModSecurity).

  3. Depending on the used webmail and ModSecurity rule-set, apply the required solution:

    Note: If both Roundcube and Horde are affected - apply the required solutions for each webmail.

    For Horde webmail and OWASP rule set

    1. Switch to the Settings tab.

    2. Add the lines below to the Custom directives field:

      CONFIG_TEXT: <LocationMatch "/horde/imp/compose.php">
      SecRuleRemoveById 981231
      SecRuleRemoveById 958125
      SecRuleRemoveById 950005
      SecRuleRemoveById 959914
      SecRuleRemoveById 981257
      SecRuleRemoveById 981260
      SecRuleRemoveById 48
      SecRuleRemoveById 49
      SecRuleRemoveById 50
      SecRuleRemoveById 51
      SecRuleRemoveById 52
      SecRuleRemoveById 53
      SecRuleRemoveById 54
      SecRuleRemoveById 55
      SecRuleRemoveById 56
      SecRuleRemoveById 57
      SecRuleRemoveById 58
      SecRuleRemoveById 59
      SecRuleRemoveById 60
      SecRuleRemoveById 61
      SecRuleRemoveById 62
      SecRuleRemoveById 63
      SecRuleRemoveById 64
      SecRuleRemoveById 65
      SecRuleRemoveById 66
      SecRuleRemoveById 67
      SecRuleRemoveById 68
      SecRuleRemoveById 69
      SecRuleRemoveById 70
      SecRuleRemoveById 71
      SecRuleRemoveById 72
      SecRuleRemoveById 73
      SecRuleRemoveById 74
      </LocationMatch>
      <LocationMatch "/services/ajax.php/imp">
      SecRuleRemoveById 958291
      SecRuleRemoveById 981257
      SecRuleRemoveById 958291
      SecRuleRemoveById 981245
      SecRuleRemoveById 981173
      SecRuleRemoveById 981246
      SecRuleRemoveById 981243
      SecRuleRemoveById 33350147
      </LocationMatch>

    3. Click Apply.

    For Horde webmail and Comodo rule set

    1. Switch to the General tab.

    2. Find the CWAF tag in the Active list and click on it to disable.

    3. Click Apply.

      Note: If the issue still occurs, apply the resolution from the "For Horde webmail and OWASP ModSecurity rule set" article section as well.

    For Roundcube webmail and OWASP rule set

    1. Switch to the Settings tab.

    2. Add the lines below to the Custom directives field:

      CONFIG_TEXT: <LocationMatch "/roundcube/">
      SecRuleEngine Off
      </LocationMatch>

    3. Press the Apply button.

    Note: If the issue still occurs, consider to disable the rule from the logs by its ID e.g. "981257" using the next section as an example or by applying this instructions

    For Roundcube webmail and Comodo rule set

    1. Switch to the General tab.

    2. Go to Switch off security rules section and add these IDs each on new line:

      • 212880

      • 217280

      • 212740

    3. Click Apply.

Was this article helpful?

Comments

1 comment
Date Votes
  • Avatar
    acos_atom
    (Edited )

    Just to provide some more information.

    In PleskObsidian 18.0.52 with the default COMODO (Free) rules, Roundcube gives this error but the affected rule is [id "212340"], that is triggered by sending a simple html email.

    Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "<!--" at ARGS:_message. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/07_XSS_XSS.conf"] [line "56"] [id "212340"] [rev "5"] [msg "COMODO WAF: Cross-site Scripting (XSS) Attack||webmail.example.com|F|2"] [data "Matched Data: <!-- found within ARGS:_message: <div id=\\\\x22wrapper\\\\x22 dir=\\\\x22ltr\\\\x22 style=\\\\x22background-color: #f7f7f7; margin: 0; padding: 70px 0; width: 100%; -webkit-text-size-adjust: none;\\\\x22> <table border=\\\\x220\\\\x22 width=\\\\x22100%\\\\x22 cellspacing=\\\\x220\\\\x22 cellpadding=\\\\x220\\\\x22> <tbody> <tr> <td align=\\\\x22center\\\\x22 valign=\\\\x22top\\\\x22> <div id=\\\\x22template_header_image\\\\x22></div> <table id=\\\\x22template_container\\\\x22 style=\\\\x22background-color: #ffffff; border: 1px solid #dedede; box-shadow: 0 1..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "webmail.example.com"] [uri "/roundcube/index.php"] [unique_id "ZFOCe-UVZmIZ45HYQutUFAAAAMo"]
    1

Please sign in to leave a comment.