Symptoms
-
Unable to send an email via Horde or/and Roundcube webmails due to one of the following errors:
PLESK_ERROR: Forbidden
You don’t have permission to access /imp/compose.php on this server
PLESK_ERROR: Error when communicating with the server
-
It’s not possible to send a reply, it hangs on:
Sending message...
-
OWASP or Comodo ModSecurity rule set is used.
-
Horde and Roundcube webmails work properly when ModSecurity is disabled at the Plesk > Tools & Settings > Web Application Firewall (ModSecurity) page.
-
ModSecurity is set to Run rules on Apache.
Cause
Strict ModSecurity rules like OWASP or Comodo prevent Horde or/and Roundcube webmails work properly.
Resolution
-
Go to the Plesk > Tools & Settings > Web Application Firewall (ModSecurity) page.
-
Depending on the used webmail and ModSecurity rule set, apply the required solution:
Note: if both Roundcube and Horde are affected – apply the required solutions for each webmail.
For Horde webmail and OWASP ModSecurity ruleset
-
Navigate to the Settings tab.
-
Add the next rows to the Custom directives field:
<LocationMatch "/horde/imp/compose.php">
SecRuleRemoveById 981231
SecRuleRemoveById 958125
SecRuleRemoveById 950005
SecRuleRemoveById 959914
SecRuleRemoveById 981257
SecRuleRemoveById 981260
SecRuleRemoveById 48
SecRuleRemoveById 49
SecRuleRemoveById 50
SecRuleRemoveById 51
SecRuleRemoveById 52
SecRuleRemoveById 53
SecRuleRemoveById 54
SecRuleRemoveById 55
SecRuleRemoveById 56
SecRuleRemoveById 57
SecRuleRemoveById 58
SecRuleRemoveById 59
SecRuleRemoveById 60
SecRuleRemoveById 61
SecRuleRemoveById 62
SecRuleRemoveById 63
SecRuleRemoveById 64
SecRuleRemoveById 65
SecRuleRemoveById 66
SecRuleRemoveById 67
SecRuleRemoveById 68
SecRuleRemoveById 69
SecRuleRemoveById 70
SecRuleRemoveById 71
SecRuleRemoveById 72
SecRuleRemoveById 73
SecRuleRemoveById 74
</LocationMatch>
<LocationMatch "/services/ajax.php/imp">
SecRuleRemoveById 958291
SecRuleRemoveById 981257
SecRuleRemoveById 958291
SecRuleRemoveById 981245
SecRuleRemoveById 981173
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 33350147
</LocationMatch> -
Press the Apply button.
For Horde webmail and Comodo ModSecurity ruleset
-
Navigate to the General tab.
-
Find the CWAF tag in the Active list and click it to disable.
-
Press the Apply button.
-
If the issue still occurs, apply the resolution from the “For Horde webmail and OWASP ModSecurity rule set” article section as well.
For Roundcube webmail and OWASP ModSecurity ruleset
-
Navigate to the Settings tab.
-
Add the next rows to the Custom directives field:
<LocationMatch "/roundcube/">
SecRuleEngine Off
</LocationMatch> -
Press the Apply button.
For Roundcube webmail and Comodo ModSecurity ruleset
-
Navigate to the General tab.
-
Go to Switch off security rules section and add the ID 212880 in the Security rule IDs text box
-
Press the Apply button.
-