Can’t Access Squirrelmail On CentOS 8
Good evening,
I have not able able to run the http://ip-addr/src/configtest.php script, nor access Squirrelmail. Looking for suggestions on what I might have missed. When I try either http://ip-… or https://ip-…, I get the following reply
Forbidden You don’t have permission to access /webmail/src/configtest.php on this server.
I got squirrelmail installed in /usr/share/squirrelmail and ‘configured’ to work (using ./conf.pl). This setup below is about the same setup on my CentOS 6 box. I’m thinking my issue is more Apache configuration related than Squirrelmail.
**Apache is running with no issues**
Below are some of my settings in /etc/httpd/conf/httpd.conf
Apache ServerRoot is /etc/httpd
Apache DocumentRoot is /www
Further parameters within httpd.conf include:
#
# Relax access to content within /var/www.
#
AllowOverride None
# Allow open access:
Require all granted
# Further relax access to the default document root:
Options Indexes FollowSymLinks
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
In /etc/httpd/conf.modules.d I created a file called 16-squirrelmail.conf That file contains the following information:
# SquirrelMail is a webmail package written in PHP.
#
Alias /webmail /usr/share/squirrelmail
AllowOverride None Require all denied
# this section makes squirrelmail use https connections only, for this you # need to have mod_ssl installed. If you want to use unsecure http # connections, just remove this section:
#6-12-2020 commented out next five lines to test sqmail in http mode only
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Any suggestions????
Thanks,
Jay
11 thoughts on - Can’t Access Squirrelmail On CentOS 8
selinux issue?
I have this in my squirrelmail notes for CentOS 6, maybe this is a similar issue for you on CentOS 8:
After configuring squirrelmail, do this to make selinux accept squirrelmail connections:
setsebool -P httpd_can_network_connect 1
(The -P makes it permanent across reboots. This command takes quite a while to run, so don’t worry about the waiting)
Then this to allow apache to connect to sendmail:
setsebool -P httpd_can_sendmail 1
Also takes a long time to run.
Note that in SquirrelMail versions 1.5.0 and up, if you are accessing configtest.php from any place other than the machine where SquirrelMail is installed, you’ll need to make sure $allow_remote_configtest is enabled in your configuration file to do so (or see “11. Tweaks” ==> “7. Allow remote configtest” in the configuration utility). If you do that, be sure to disable it again when you are finished.
I turned the firewall off and tried to access /webmail and the configtest file, Turning off the firewall resulted in same issue.
I am not using selinux on CentOS 6, so those options are not set on C6. I have not tried either of those options above on C8. I wanted to check to see if those Directory options I listed in my OP were hosed, correct, etc.
I’m using v 1.4.23-svn.
Jay
Both of those are turned ‘off’ (0).
Also, my testing is from a remote machine.
Am 18.06.2020 um 22:37 schrieb Jay Hart:
Frank was hinting to SELinux preventing access. A valid guess, especially as you have installed the webapp in a very uncommon path where default SELinux does know nothing about. So check the audit.log for AVC or use ausearch.
And of course check the webserver’s logfile. Always the logs! They have the neccessary information your need to debug your situation.
Alexander
I enabled both those options. tried to access again, same issue.
Log file:
[Thu Jun 18 17:08:31.160897 2020] [authz_core:error] [pid 10427:tid 140567258310400] [client 10.20.30.61:34096] AH01630: client denied by server configuration: /usr/share/squirrelmail/src/login.php
After changing those options, do I need to restart service[s], or reboot?
Jay Hart writes:
mod_security?
Mod_security is not installed.
Jay
Am 18.06.2020 um 23:18 schrieb Jay Hart:
Sorry, which 2 options did you enable?
So here you get the information about what needs to be corrected. Please look closely at your apache configuration as you are forbidding access by your active settings.
As much as you have setup your webmail in a config file like
16-squirrelmail.conf you will of course have to restart or reload the service. A reboot is never needed for such kind of change.
Alexander
I turned on
httpd_can_network_connect –> on httpd_can_sendmail –> on
I restarted httpd.
Am 18.06.2020 um 23:44 schrieb Jay Hart:
Jay,
the SELinux booleans are not the reason for your issue. See the error message, it should give you a clue: the authz_core element is spitting that out, that’s a part of apache itself.
https://cwiki.apache.org/confluence/display/HTTPD/ClientDeniedByServerConfiguration
If you google search for “AH01630: client denied by server configuration:” you will get a confirmation what that error means and for what to look at in your apache configuration.
Alexander
Le 18/06/2020 à 22:11, Jay Hart a écrit :
The SquirrelMail project has been dead for years now. Don’t use it.
Suggestion : Roundcube.
Cheers,
Niki
—
Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12