Hello,
Thanks for your reply. I do have the 2factor authentication plugin
loaded but it is not configured for this user. I'm not getting a error
message it's not pulling up the inbox at all with chrome. I've
commented out the loading of this file and the issue has been
resolved. Something in it is preventing chrome and firefox from
working yet not IE11 which I found contrary.
Thanks.
Dave.
#
# httpd-security.conf:
# Security hardening settings
#
# Disable ETag
# FileETag None doesn't work in all cases.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
# Unset the server
Header unset Server
# Disable Trace http requests
TraceEnable off
# Set cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
#Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS)
#Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks
# Enforce MIME types for script and style elements
Header always set X-Content-Type-Options nosniff
# Content-Security-Policy
#Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"
# Enable Content Security Policy (Level 2)
Header always set Content-Security-Policy "default-src 'none'; img-src
'self'; style-src 'self'; font-src 'self'; base-uri 'none';
frame-ancestors 'none'; form-action 'none'"
# Disable Referrer which isn't needed when you don't use authentication
#Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"
# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy
#Header always set Referrer-Policy "strict-origin"
# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'
# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" env=HTTPS
# unset the server powered by header
Header unset X-Powered-By
Header always unset X-Powered-By
# Disable HTTP 1.0 protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# For mod security
#<IfModule security3_module>
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
#Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
#</IfModule>
# mod_evasive
#<IfModule mod_evasive20.c>
#DOSHashTableSize 3097
#DOSPageCount 2
#DOSSiteCount 50
#DOSPageInterval 1
#DOSSiteInterval 1
#DOSBlockingPeriod 60
#DOSEmailNotify root@davemehler.com
#DOSWhitelist 127.0.0.1
#DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
#</IfModule>
# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.htm...
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/geo+json geojson
AddType application/rdf+xml rdf
AddType application/xml xml
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
AddType text/javascript js mjs
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
AddType image/svg+xml svg svgz
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying them as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcd...
AddType image/x-icon cur ico
# WebAssembly
AddType application/wasm wasm
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttf
AddType font/collection ttc
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/calendar ics
AddType text/markdown markdown md
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
</IfModule>
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
AddDefaultCharset utf-8
# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
AddCharset utf-8 .appcache \
.bbaw \
.css \
.htc \
.ics \
.js \
.json \
.manifest \
.map \
.markdown \
.md \
.mjs \
.topojson \
.vtt \
.vcard \
.vcf \
.webmanifest \
.xloc
</IfModule>
# Block access to directories without a default document.
#
# You should leave the following uncommented, as you shouldn't allow
# anyone to surf through every directory on your server (which may
# includes rather private places such as the CMS's directories).
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
<IfModule mod_headers.c>
# no-referrer-when-downgrade (default)
# This should be the user agent's default behavior if no policy is
# specified.The origin is sent as referrer to a-priori as-much-secure
# destination (HTTPS->HTTPS), but isn't sent to a less secure destination
# (HTTPS->HTTP).
Header set Referrer-Policy "no-referrer-when-downgrade"
"expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>
# Compress all output labeled with one of the following media types.
#
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbyt...
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
# Map the following filename extensions to the specified
# encoding type in order to make Apache serve the file types
# with the appropriate `Content-Encoding` response header
# (do note that this will NOT make Apache compress them!).
#
# If these files types would be served without an appropriate
# `Content-Enable` response header, client applications (e.g.:
# browsers) wouldn't know that they first need to uncompress
# the response, and thus, wouldn't be able to understand the
# content.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
On 4/12/20, Andrew Hodgson wrote:
Hi,
Are you using this plugin:
https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator
I don't think its to do with SSL because technically the login can operate
without SSL (the 2fa step is just an extra step and transport security isn't
an issue). Having said that there may be a potential issue if your web
server is directing you to a non-HTTPS link for a .JS file or similar,
Chrome really hates this.
You could test this by turning off SSL and logging in with a test password
to see if that works.
Are you sure the clock is synchronised on client and server devices as that
is usually where trouble occurs. I take it on Chrome when logging in you
just get access denied or are you not getting the Webmail session at all?
Andrew.
-----Original Message-----
From: David Mehler
Sent: 12 April 2020 03:23
To: blind-sysadmins
Subject: [Blind-sysadmins] email server being contrary
Hello,
This is to anyone who has setup and operates their own email server rather
than relying on a cloud provider. If you do can you email me privately?
I've got an email server that is being contrary. It runs Dovecot for Imap,
Postfix for Smtp, apache as webserver, and roundcube as an email frontend.
The short version is about two days ago about the same time as I put in the
google two factor authentication plugin for roundcube the latest version of
Chrome and just found out Firefox latest will no longer log in. I don't see
anything in the logs it's as if there is no login atempts at all. The
problem I am having with this and the contrary part of this is that IE11
works just fine, logs in great.
It is quite prplexing.
Please suggestions welcome.
Thanks.
Dave.
_______________________________________________
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to
blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to
blind-sysadmins-leave@lists.hodgsonfamily.org