Webmail is not working on Plesk server: Error when communicating with the server

Symptoms

• Unable to send an email via Horde or/and Roundcube webmails due to one of the following errors:

  PLESK_ERROR: Forbidden
  You don’t have permission to access /imp/compose.php on this server

  ---

  PLESK_ERROR: Error when communicating with the server

• It’s not possible to send a reply, it hangs on:

  Sending message...

• OWASP or Comodo ModSecurity rule set is used.

• Horde and Roundcube webmails work properly when ModSecurity is disabled at the Plesk > Tools & Settings > Web Application Firewall (ModSecurity) page.

• ModSecurity is set to Run rules on Apache.

  

Cause

Strict ModSecurity rules like OWASP or Comodo prevent Horde or/and Roundcube webmails work properly.

Resolution

1. Log into Plesk.

2. Go to the Plesk > Tools & Settings > Web Application Firewall (ModSecurity) page.

3. Depending on the used webmail and ModSecurity rule set, apply the required solution:

   Note: if both Roundcube and Horde are affected – apply the required solutions for each webmail.

   For Horde webmail and OWASP ModSecurity ruleset

   1. Navigate to the Settings tab.

   2. Add the next rows to the Custom directives field:

      <LocationMatch "/horde/imp/compose.php">
      SecRuleRemoveById 981231
      SecRuleRemoveById 958125
      SecRuleRemoveById 950005
      SecRuleRemoveById 959914
      SecRuleRemoveById 981257
      SecRuleRemoveById 981260
      SecRuleRemoveById 48
      SecRuleRemoveById 49
      SecRuleRemoveById 50
      SecRuleRemoveById 51
      SecRuleRemoveById 52
      SecRuleRemoveById 53
      SecRuleRemoveById 54
      SecRuleRemoveById 55
      SecRuleRemoveById 56
      SecRuleRemoveById 57
      SecRuleRemoveById 58
      SecRuleRemoveById 59
      SecRuleRemoveById 60
      SecRuleRemoveById 61
      SecRuleRemoveById 62
      SecRuleRemoveById 63
      SecRuleRemoveById 64
      SecRuleRemoveById 65
      SecRuleRemoveById 66
      SecRuleRemoveById 67
      SecRuleRemoveById 68
      SecRuleRemoveById 69
      SecRuleRemoveById 70
      SecRuleRemoveById 71
      SecRuleRemoveById 72
      SecRuleRemoveById 73
      SecRuleRemoveById 74
      </LocationMatch>
      <LocationMatch "/services/ajax.php/imp">
      SecRuleRemoveById 958291
      SecRuleRemoveById 981257
      SecRuleRemoveById 958291
      SecRuleRemoveById 981245
      SecRuleRemoveById 981173
      SecRuleRemoveById 981246
      SecRuleRemoveById 981243
      SecRuleRemoveById 33350147
      </LocationMatch>

   3. Press the Apply button.

   For Horde webmail and Comodo ModSecurity ruleset

   1. Navigate to the General tab.

   2. Find the CWAF tag in the Active list and click it to disable.

   3. Press the Apply button.

   4. If the issue still occurs, apply the resolution from the “For Horde webmail and OWASP ModSecurity rule set” article section as well.

   For Roundcube webmail and OWASP ModSecurity ruleset

   1. Navigate to the Settings tab.

   2. Add the next rows to the Custom directives field:

      <LocationMatch "/roundcube/">
      SecRuleEngine Off
      </LocationMatch>

   3. Press the Apply button.

   For Roundcube webmail and Comodo ModSecurity ruleset

   1. Navigate to the General tab.

   2. Go to Switch off security rules section and add the ID 212880 in the Security rule IDs text box

      

   3. Press the Apply button.