Hi,
So its not the 2 factor auth plugin then but something in that security hardening file which does look as though its quite progressive in its settings. Where did that file come from, do you understand all the settings and why they have been set in that way?
If it were me I would try commenting out that file and uncommenting sections to see which is causing the trouble.
Andrew.
-----Original Message-----
From: David Mehler
Sent: 12 April 2020 16:02
To: Mailing list for blind system administrators
Subject: [Blind-sysadmins] Re: email server being contrary
Hello,
Thanks for your reply. I do have the 2factor authentication plugin loaded but it is not configured for this user. I'm not getting a error message it's not pulling up the inbox at all with chrome. I've commented out the loading of this file and the issue has been resolved. Something in it is preventing chrome and firefox from working yet not IE11 which I found contrary.
Thanks.
Dave.
#
# httpd-security.conf:
# Security hardening settings
#
# Disable ETag
# FileETag None doesn't work in all cases.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
# Unset the server
Header unset Server
# Disable Trace http requests
TraceEnable off
# Set cookie with HttpOnly and Secure flag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs #Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS)
#Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks
# Enforce MIME types for script and style elements Header always set X-Content-Type-Options nosniff
# Content-Security-Policy
#Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'"
# Enable Content Security Policy (Level 2) Header always set Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"
# Disable Referrer which isn't needed when you don't use authentication #Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"
# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy
#Header always set Referrer-Policy "strict-origin"
# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'
# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
# unset the server powered by header
Header unset X-Powered-By
Header always unset X-Powered-By
# Disable HTTP 1.0 protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# For mod security
#<IfModule security3_module>
#Include /usr/local/etc/modsecurity/*.conf # Load the base Owasp rules #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
#</IfModule>
# mod_evasive
#<IfModule mod_evasive20.c>
#DOSHashTableSize 3097
#DOSPageCount 2
#DOSSiteCount 50
#DOSPageInterval 1
#DOSSiteInterval 1
#DOSBlockingPeriod 60
#DOSEmailNotify root@davemehler.com
#DOSWhitelist 127.0.0.1
#DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
#</IfModule>
# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.htm...
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/geo+json geojson
AddType application/rdf+xml rdf
AddType application/xml xml
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
AddType text/javascript js mjs
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
AddType image/svg+xml svg svgz
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying them as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcd...
AddType image/x-icon cur ico
# WebAssembly
AddType application/wasm wasm
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttf
AddType font/collection ttc
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/calendar ics
AddType text/markdown markdown md
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
</IfModule>
# Serve all resources labeled as `text/html` or `text/plain` # with the media type `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
AddDefaultCharset utf-8
# Serve the following file types with the media type `charset` # parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
AddCharset utf-8 .appcache \
.bbaw \
.css \
.htc \
.ics \
.js \
.json \
.manifest \
.map \
.markdown \
.md \
.mjs \
.topojson \
.vtt \
.vcard \
.vcf \
.webmanifest \
.xloc
</IfModule>
# Block access to directories without a default document.
#
# You should leave the following uncommented, as you shouldn't allow # anyone to surf through every directory on your server (which may # includes rather private places such as the CMS's directories).
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other # web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which # whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service # such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
<IfModule mod_headers.c>
# no-referrer-when-downgrade (default)
# This should be the user agent's default behavior if no policy is
# specified.The origin is sent as referrer to a-priori as-much-secure
# destination (HTTPS->HTTPS), but isn't sent to a less secure destination
# (HTTPS->HTTP).
Header set Referrer-Policy "no-referrer-when-downgrade"
"expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>
# Compress all output labeled with one of the following media types.
#
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbyt...
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
# Map the following filename extensions to the specified
# encoding type in order to make Apache serve the file types
# with the appropriate `Content-Encoding` response header
# (do note that this will NOT make Apache compress them!).
#
# If these files types would be served without an appropriate
# `Content-Enable` response header, client applications (e.g.:
# browsers) wouldn't know that they first need to uncompress
# the response, and thus, wouldn't be able to understand the
# content.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
On 4/12/20, Andrew Hodgson wrote:
Hi,
Are you using this plugin:
https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenti
cator
I don't think its to do with SSL because technically the login can
operate without SSL (the 2fa step is just an extra step and transport
security isn't an issue). Having said that there may be a potential
issue if your web server is directing you to a non-HTTPS link for a
.JS file or similar, Chrome really hates this.
You could test this by turning off SSL and logging in with a test
password to see if that works.
Are you sure the clock is synchronised on client and server devices as
that is usually where trouble occurs. I take it on Chrome when
logging in you just get access denied or are you not getting the Webmail session at all?
Andrew.
-----Original Message-----
From: David Mehler
Sent: 12 April 2020 03:23
To: blind-sysadmins
Subject: [Blind-sysadmins] email server being contrary
Hello,
This is to anyone who has setup and operates their own email server
rather than relying on a cloud provider. If you do can you email me privately?
I've got an email server that is being contrary. It runs Dovecot for
Imap, Postfix for Smtp, apache as webserver, and roundcube as an email frontend.
The short version is about two days ago about the same time as I put
in the google two factor authentication plugin for roundcube the
latest version of Chrome and just found out Firefox latest will no
longer log in. I don't see anything in the logs it's as if there is no
login atempts at all. The problem I am having with this and the
contrary part of this is that IE11 works just fine, logs in great.
It is quite prplexing.
Please suggestions welcome.
Thanks.
Dave.
_______________________________________________
Blind-sysadmins mailing list --
blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to
blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________
Blind-sysadmins mailing list --
blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to
blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org