Symptoms
-
When sending or replying to an email via Roundcube/Horde webmail, the operation is spinning with "Sending message..." or fails with one of the following errors:
Forbidden
You don't have permission to access /imp/compose.php on this server
Error when communicating with the server
-
OWASP or Comodo ModSecurity rule set is selected in Plesk at Tools & Settings > Web Application Firewall (ModSecurity) > Settings.
-
One of the following error messages is logged in
/var/log/modsec_audit.log:[error] [client 203.0.113.2] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "70"] [msg "Multipart parser detected a possible unmatched boundary."] ...
[client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257"] ..., referer: http://webmail.example.com/imp/dynamic.php?page=mailbox
[client 203.0.113.2] ModSecurity: Warning. Pattern match ...
Cause
ModSecurity Web Application Firewall is enabled with a strict rule set such as OWASP, Comodo or a custom rule set from Imunify360. These rule sets may block some webmail features.
Resolution
-
Go to Tools & Settings > Web Application Firewall (ModSecurity).
-
Depending on the used webmail and ModSecurity rule-set, apply the required solution:
Note: If both Roundcube and Horde are affected - apply the required solutions for each webmail.
For Horde webmail and OWASP rule set
-
Switch to the Settings tab.
-
Add the lines below to the Custom directives field:
<LocationMatch "/horde/imp/compose.php">
SecRuleRemoveById 981231
SecRuleRemoveById 958125
SecRuleRemoveById 950005
SecRuleRemoveById 959914
SecRuleRemoveById 981257
SecRuleRemoveById 981260
SecRuleRemoveById 48
SecRuleRemoveById 49
SecRuleRemoveById 50
SecRuleRemoveById 51
SecRuleRemoveById 52
SecRuleRemoveById 53
SecRuleRemoveById 54
SecRuleRemoveById 55
SecRuleRemoveById 56
SecRuleRemoveById 57
SecRuleRemoveById 58
SecRuleRemoveById 59
SecRuleRemoveById 60
SecRuleRemoveById 61
SecRuleRemoveById 62
SecRuleRemoveById 63
SecRuleRemoveById 64
SecRuleRemoveById 65
SecRuleRemoveById 66
SecRuleRemoveById 67
SecRuleRemoveById 68
SecRuleRemoveById 69
SecRuleRemoveById 70
SecRuleRemoveById 71
SecRuleRemoveById 72
SecRuleRemoveById 73
SecRuleRemoveById 74
</LocationMatch>
<LocationMatch "/services/ajax.php/imp">
SecRuleRemoveById 958291
SecRuleRemoveById 981257
SecRuleRemoveById 958291
SecRuleRemoveById 981245
SecRuleRemoveById 981173
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 33350147
</LocationMatch> -
Click Apply.
For Horde webmail and Comodo rule set
-
Switch to the General tab.
-
Find the CWAF tag in the Active list and click on it to disable.
-
Click Apply.
Note: If the issue still occurs, apply the resolution from the "For Horde webmail and OWASP ModSecurity rule set" article section as well.
For Roundcube webmail and OWASP rule set
-
Switch to the Settings tab.
-
Add the lines below to the Custom directives field:
<LocationMatch "/roundcube/">
SecRuleEngine Off
</LocationMatch> -
Press the Apply button.
Note: If the issue still occurs, consider to disable the rule from the logs by its ID e.g. "981257" using the next section as an example or by applying this instructions
For Roundcube webmail and Comodo rule set
-
Switch to the General tab.
-
Go to Switch off security rules section and add these IDs each on new line:
-
212880
-
217280
-
212740
-
-
Click Apply.
-