Knowledge Base

Webmail is not working on a Plesk server when ModSecurity with OWASP or Comodo rule set is enabled: Error when communicating with the server

Symptoms

When sending or replying to an email via Roundcube/Horde webmail, the operation is spinning with "Sending message..." or fails with one of the following errors:

Forbidden
You don't have permission to access /imp/compose.php on this server

Error when communicating with the server
OWASP or Comodo ModSecurity rule set is selected in Plesk at Tools & Settings > Web Application Firewall (ModSecurity) > Settings.
One of the following error messages is logged in /var/log/modsec_audit.log:

[error] [client 203.0.113.2] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "70"] [msg "Multipart parser detected a possible unmatched boundary."] ...

[client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257"] ..., referer: http://webmail.example.com/imp/dynamic.php?page=mailbox

[client 203.0.113.2] ModSecurity: Warning. Pattern match ...

Cause

ModSecurity Web Application Firewall is enabled with a strict rule set such as OWASP, Comodo or a custom rule set from Imunify360. These rule sets may block some webmail features.

Resolution

Log in to Plesk.
Go to Tools & Settings > Web Application Firewall (ModSecurity).
Depending on the used webmail and ModSecurity rule-set, apply the required solution:

Note: If both Roundcube and Horde are affected - apply the required solutions for each webmail.
For Horde webmail and OWASP rule set
1. Switch to the Settings tab.
2. Add the lines below to the Custom directives field:
  
  <LocationMatch "/horde/imp/compose.php">
  SecRuleRemoveById 981231
  SecRuleRemoveById 958125
  SecRuleRemoveById 950005
  SecRuleRemoveById 959914
  SecRuleRemoveById 981257
  SecRuleRemoveById 981260
  SecRuleRemoveById 48
  SecRuleRemoveById 49
  SecRuleRemoveById 50
  SecRuleRemoveById 51
  SecRuleRemoveById 52
  SecRuleRemoveById 53
  SecRuleRemoveById 54
  SecRuleRemoveById 55
  SecRuleRemoveById 56
  SecRuleRemoveById 57
  SecRuleRemoveById 58
  SecRuleRemoveById 59
  SecRuleRemoveById 60
  SecRuleRemoveById 61
  SecRuleRemoveById 62
  SecRuleRemoveById 63
  SecRuleRemoveById 64
  SecRuleRemoveById 65
  SecRuleRemoveById 66
  SecRuleRemoveById 67
  SecRuleRemoveById 68
  SecRuleRemoveById 69
  SecRuleRemoveById 70
  SecRuleRemoveById 71
  SecRuleRemoveById 72
  SecRuleRemoveById 73
  SecRuleRemoveById 74
  </LocationMatch>
  <LocationMatch "/services/ajax.php/imp">
  SecRuleRemoveById 958291
  SecRuleRemoveById 981257
  SecRuleRemoveById 958291
  SecRuleRemoveById 981245
  SecRuleRemoveById 981173
  SecRuleRemoveById 981246
  SecRuleRemoveById 981243
  SecRuleRemoveById 33350147
  </LocationMatch>
3. Click Apply.
For Horde webmail and Comodo rule set
1. Switch to the General tab.
2. Find the CWAF tag in the Active list and click on it to disable.
3. Click Apply.
  
  Note: If the issue still occurs, apply the resolution from the "For Horde webmail and OWASP ModSecurity rule set" article section as well.
For Roundcube webmail and OWASP rule set
1. Switch to the Settings tab.
2. Add the lines below to the Custom directives field:
  
  <LocationMatch "/roundcube/">
  SecRuleEngine Off
  </LocationMatch>
3. Press the Apply button.
Note: If the issue still occurs, consider to disable the rule from the logs by its ID e.g. "981257" using the next section as an example or by applying this instructions
For Roundcube webmail and Comodo rule set
1. Switch to the General tab.
2. Go to Switch off security rules section and add these IDs each on new line:
  - 212880
  - 217280
  - 212740
3. Click Apply.