Hello, Thanks for your reply. I do have the 2factor authentication plugin loaded but it is not configured for this user. I'm not getting a error message it's not pulling up the inbox at all with chrome. I've commented out the loading of this file and the issue has been resolved. Something in it is preventing chrome and firefox from working yet not IE11 which I found contrary. Thanks. Dave. # # httpd-security.conf: # Security hardening settings # # Disable ETag # FileETag None doesn't work in all cases. <IfModule mod_headers.c> Header unset ETag </IfModule> FileETag None # Unset the server Header unset Server # Disable Trace http requests TraceEnable off # Set cookie with HttpOnly and Secure flag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs #Header always set X-Frame-Options SAMEORIGIN # Prevent Cross Site Scripting (XSS) #Header set X-XSS-Protection "1; mode=block" # Prevent Mime Types Security risks # Enforce MIME types for script and style elements Header always set X-Content-Type-Options nosniff # Content-Security-Policy #Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'" # Enable Content Security Policy (Level 2) Header always set Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'" # Disable Referrer which isn't needed when you don't use authentication #Header always set Referrer-Policy "no-referrer" Header always set Referrer-Policy "strict-origin" # Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none" # Referer policy #Header always set Referrer-Policy "strict-origin" # expect-ct policy Header always set Expect-CT 'enforce, max-age=43200' # Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS # unset the server powered by header Header unset X-Powered-By Header always unset X-Powered-By # Disable HTTP 1.0 protocol RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F] # For mod security #<IfModule security3_module> #Include /usr/local/etc/modsecurity/*.conf # Load the base Owasp rules #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf #</IfModule> # mod_evasive #<IfModule mod_evasive20.c> #DOSHashTableSize 3097 #DOSPageCount 2 #DOSSiteCount 50 #DOSPageInterval 1 #DOSSiteInterval 1 #DOSBlockingPeriod 60 #DOSEmailNotify root@davemehler.com #DOSWhitelist 127.0.0.1 #DOSSystemCommand '/sbin/pfctl -t evasive -T add %s' #</IfModule> # Send the CORS header for images when browsers request it. # # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.htm... <IfModule mod_setenvif.c> <IfModule mod_headers.c> <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$"> SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS </FilesMatch> </IfModule> </IfModule> # Allow cross-origin access to web fonts. # # https://developers.google.com/fonts/docs/troubleshooting <IfModule mod_headers.c> <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> </IfModule> # Serve resources with the proper media types (f.k.a. MIME types). # # https://www.iana.org/assignments/media-types/media-types.xhtml # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype <IfModule mod_mime.c> # Data interchange AddType application/atom+xml atom AddType application/json json map topojson AddType application/ld+json jsonld AddType application/rss+xml rss AddType application/geo+json geojson AddType application/rdf+xml rdf AddType application/xml xml # JavaScript # Servers should use text/javascript for JavaScript resources. # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages AddType text/javascript js mjs # Manifest files AddType application/manifest+json webmanifest AddType application/x-web-app-manifest+json webapp AddType text/cache-manifest appcache # Media files AddType audio/mp4 f4a f4b m4a AddType audio/ogg oga ogg opus AddType image/bmp bmp AddType image/svg+xml svg svgz AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv # Serving `.ico` image files with a different media type # prevents Internet Explorer from displaying them as images: # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcd... AddType image/x-icon cur ico # WebAssembly AddType application/wasm wasm # Web fonts AddType font/woff woff AddType font/woff2 woff2 AddType application/vnd.ms-fontobject eot AddType font/ttf ttf AddType font/collection ttc AddType font/otf otf # Other AddType application/octet-stream safariextz AddType application/x-bb-appworld bbaw AddType application/x-chrome-extension crx AddType application/x-opera-extension oex AddType application/x-xpinstall xpi AddType text/calendar ics AddType text/markdown markdown md AddType text/vcard vcard vcf AddType text/vnd.rim.location.xloc xloc AddType text/vtt vtt AddType text/x-component htc </IfModule> # Serve all resources labeled as `text/html` or `text/plain` # with the media type `charset` parameter set to `UTF-8`. # # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset AddDefaultCharset utf-8 # Serve the following file types with the media type `charset` # parameter set to `UTF-8`. # # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset <IfModule mod_mime.c> AddCharset utf-8 .appcache \ .bbaw \ .css \ .htc \ .ics \ .js \ .json \ .manifest \ .map \ .markdown \ .md \ .mjs \ .topojson \ .vtt \ .vcard \ .vcf \ .webmanifest \ .xloc </IfModule> # Block access to directories without a default document. # # You should leave the following uncommented, as you shouldn't allow # anyone to surf through every directory on your server (which may # includes rather private places such as the CMS's directories). <IfModule mod_autoindex.c> Options -Indexes </IfModule> # A web application uses HTTPS and a URL-based session identifier. # The web application might wish to link to HTTPS resources on other # web sites without leaking the user's session identifier in the URL. # # This can be done by setting a `Referrer Policy` which # whitelists trusted sources of content for your website. # # To check your referrer policy, you can use an online service # such as: https://securityheaders.io/. # # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <IfModule mod_headers.c> # no-referrer-when-downgrade (default) # This should be the user agent's default behavior if no policy is # specified.The origin is sent as referrer to a-priori as-much-secure # destination (HTTPS->HTTPS), but isn't sent to a less secure destination # (HTTPS->HTTP). Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i" </IfModule> # Compress all output labeled with one of the following media types. # # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbyt... <IfModule mod_filter.c> AddOutputFilterByType DEFLATE "application/atom+xml" \ "application/javascript" \ "application/json" \ "application/ld+json" \ "application/manifest+json" \ "application/rdf+xml" \ "application/rss+xml" \ "application/schema+json" \ "application/geo+json" \ "application/vnd.ms-fontobject" \ "application/wasm" \ "application/x-font-ttf" \ "application/x-javascript" \ "application/x-web-app-manifest+json" \ "application/xhtml+xml" \ "application/xml" \ "font/eot" \ "font/opentype" \ "font/otf" \ "image/bmp" \ "image/svg+xml" \ "image/vnd.microsoft.icon" \ "text/cache-manifest" \ "text/calendar" \ "text/css" \ "text/html" \ "text/javascript" \ "text/plain" \ "text/markdown" \ "text/vcard" \ "text/vnd.rim.location.xloc" \ "text/vtt" \ "text/x-component" \ "text/x-cross-domain-policy" \ "text/xml" </IfModule> # Map the following filename extensions to the specified # encoding type in order to make Apache serve the file types # with the appropriate `Content-Encoding` response header # (do note that this will NOT make Apache compress them!). # # If these files types would be served without an appropriate # `Content-Enable` response header, client applications (e.g.: # browsers) wouldn't know that they first need to uncompress # the response, and thus, wouldn't be able to understand the # content. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding <IfModule mod_mime.c> AddEncoding gzip svgz </IfModule> On 4/12/20, Andrew Hodgson <andrew@hodgson.io> wrote:
Hi,
Are you using this plugin:
https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator
I don't think its to do with SSL because technically the login can operate without SSL (the 2fa step is just an extra step and transport security isn't an issue). Having said that there may be a potential issue if your web server is directing you to a non-HTTPS link for a .JS file or similar, Chrome really hates this.
You could test this by turning off SSL and logging in with a test password to see if that works.
Are you sure the clock is synchronised on client and server devices as that is usually where trouble occurs. I take it on Chrome when logging in you just get access denied or are you not getting the Webmail session at all?
Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 12 April 2020 03:23 To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] email server being contrary
Hello,
This is to anyone who has setup and operates their own email server rather than relying on a cloud provider. If you do can you email me privately?
I've got an email server that is being contrary. It runs Dovecot for Imap, Postfix for Smtp, apache as webserver, and roundcube as an email frontend. The short version is about two days ago about the same time as I put in the google two factor authentication plugin for roundcube the latest version of Chrome and just found out Firefox latest will no longer log in. I don't see anything in the logs it's as if there is no login atempts at all. The problem I am having with this and the contrary part of this is that IE11 works just fine, logs in great.
It is quite prplexing.
Please suggestions welcome. Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org