Atomicorp

If you start seeing horde issues with webmail when you send a message its easily fixed..

Create a .htaccess file of the following:

<IfModule mod_security.c>
<Files swx.php>
SecFilterInheritance Off
</Files>
</IfModule>

in /usr/share/psa-horde/imp

Then your problems are fixed

Another thing to keep track of, PHP 5.2.5 and horde arent completely compatible. Youve got to modify the include path:

http://www.atomicorp.com/wiki/index.php/PHP

Scott,

Yes very true I had that problem first!

Perhaps you might want to put the info about getting around the mod_security issue with horde either in the PHP info or maybe another wiki.

Perhaps that is something to be aware of as certainly the latest mod_security well and truely breaks horde and when you try to send a email mod_security gives you a 403 error page.

I installed ASL for first time on my server yesterday.

I have the horde problem.

The fix is not working for me, 've put a .htaccess file on:
/usr/share/psa-horde/imp

with:
<IfModule mod_security.c>
<Files swx.php>
SecFilterInheritance Off
</Files>
</IfModule>
<IfModule mod_security2.c>
<Files swx.php>
SecFilterInheritance Off
</Files>
</IfModule>

But my problem is not fixed, every time a user tries to log in to horde, ASL blocks him. and a warn with a prohibit sign (not firewall) appears on the ASL dashborad with the following text:

85.xx.xx.xx - - [05/Dec/2007:10:29:30 +0100] "GET /index.php?url=http%3A%2F%2Fwebma 31106 12

Please help me, i need to disalbe 31106? how do I do that? its my first day with ASL, i need a quick fix to this

Thanks in advance

Sure, contact support@atomicorp.com, what you want to do is send the log file with the full alert so we can replay it here.

Can you tell me where the log is?

From the dashboard I can't not get more info than what i've allready gave, since i cannot click on the "prohibit sign" to see more detail.

Thank you.

benji,

I actually dropped the .htaccess all together and am running all the rules in the rules.conf as in the package and I have not had any more issues.

It may have been something else causing the issue as I also had problems yesterday but today is fine.

Any blockages I now see are indeed all genuine I have looked them up in the audit logs.

Thx aus-city,

But, what have you changed to solve it? I mean, its just that now is working well and before not.. and you didnt change anything?

I tried myself to enter with internet explorer to a webmail (horde), and it blocked my IP with rule 31106.

And is strange 'couse it depends on what webmail i try to enter (same server) if i enter my webmail. no problem, if i login on others domain webmail 31106 blocs it...

And i dont know how to get more info on it, 'couse i dont know where asl logs are... ¿?

Yeah if you go to the web gui, find the alert in the dashboard, and click on the little firewall icon (its a little red box on the alert line) you can see the full details.

As i said, on email support@... right now, i dont have a "firewall icon" i have a "prohibit sign" icon, wich is not clicable...

Also i must say that if i disable signatures:
31106
340031
340036

Horde works perfect, so, it must be something with any or all of that signatures.

OK, you can see the audit log here, /var/log/httpd/audit_log and that will refer to the alert log. It will start with /20071206/....

The file itself lives in /var/asl/data/audit/, so some cutting and pasting is involved.

To solve it there was a user trying to access mail, and his IP address is blacklisted at spamhaus database.

Yep`, that's true, the users getting blocked when accessing webmail are listed on spamhaus.

But, the problem is, that most of my clients access internet using dynamic IP (its normal in my country), so they are not aware that their ip is listed, and, this yelds to random problems for them.

Is there any way to disble this SPAMHAUS DB check? Does that mean that, any user accessing with a listed IP wont be able to access webmail, as well as contact forms in any web site hosted in my server?

Edit: I've checked out my DSL router IP (dynamic) and is also listed, so I guess all the IP's of my provider are listed, but for some reason, i dont get bloked.

Edit2: Having disabled signatures 31106 3400031 3400026, still blocks webmails for domains ".cat" , for any other domain tld, with those signatures disabled, gives no problems at all. That was what was confusing me!! sometimes blocking and sometimes not!?!?, now I found it, its only the .cat domains webmail!!

You should see the RBL setting in /etc/asl/config, just set that to "off" and run "asl -s -f".

Thats pretty wild with the .cat extension, I didnt even know about that TLD. I can think of why its happening, since "cat" is a command its probably interpreting it as an argument to PHP.

We just finished a major rewrite of the whole modsecurity part of ASL, which is in the -bleeding channel right now. I'll probably push that down to the stable channel later today.

Scott,

I dropped in security a post I am running the bleeding asl and mod_sec and its working perfectly and I now see in this post you mention about the RBL setting I found in the /etc/asl/config file.

Incidentally I have got the RBL turned on.