new 3.0.2.3 install - Cannot login to Mailwatch admin page with any acct if change to use AD/LDAP

[VMguru]

I'd been using EFA for a couple of years now successfully upgrading and using Active Directory for authentication in MailWatch to view quarantined emails, release them, etc.

Well the last upgrade crashed out to the point I decided to download and install from scratch the latest VMware OVA of eFa to replace the old one.

I went through and made all the same changes to the config.php as before from: viewtopic.php?f=14&t=1484.
Made changes to mailwatch_ldap_sync.sh that I found in the new path of /usr/local/bin/mailwatch/tools/LDAP/ to match.

Made sure I installed php-ldap (yum install php-ldap)
Made sure I installed the openldap-clients (yum install openldap-clients)

I ran the script above and my database populated properly.

But when I make the last change to conf.php of

Code: Select all

define('USE_LDAP', true);

I can no longer login to the main MailWatch page with the root account or another I created that is the main user, both defined as Administrators in the MySQL database. I cannot login as any of my AD users either.
I receive:

Forbidden
You don't have permission to access /mailscanner/checklogin.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use the ErrorDocument to handle the request.

If I change the setting back to

Code: Select all

define('USE_LDAP', false);

then I can successfully login with only the root and original or accts I create and none of the AD/LDAP accounts that were imported.
For those I get:
Bad Username or Password

Any ideas?
Thanks, Jeff

[shawniverson]

Please do the following:

1) What error message are you getting in /var/log/httpd logs when you see the forbidden message?

2) Try turning off mod_security in EFA-Configure. 11) Apache Settings --> 2) Modsecurity

[VMguru]

Since I hate log files , I did the 2nd step, Disabled Modsecurity. I then set LDAP to true & both local and AD accounts now work, thank you!

At which version did that setting get added?

This time around, I finally found the setting in config.php that allows you to aggregate all the email addresses in Exchange bound to a single account so they are included together in one quarantine report,

Code: Select all

//Set QUARANTINE_FILTERS_COMBINED to true to combine quarantine report into a single report when user filters are present
define('QUARANTINE_FILTERS_COMBINED', true);

that is brilliant!!!

Thank you again for all the work you all do with this appliance!
Jeff

[VMguru]

BTW, here is what the last entry in modsec_audit.log says before I disabled modsecurity in Apache:

--7f0db94b-A--
[13/Jun/2017:07:36:49 --0400] WT-OUQoAACMAAHD5BfgAAAAD 84.201.133.68 58331 10.0.0.35 443
--7f0db94b-B--
GET /robots.txt HTTP/1.1
Host: <my EFA>
Connection: Keep-Alive
user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
from: support@search.yandex.ru

--7f0db94b-F--
HTTP/1.1 403 Forbidden
Content-Length: 212
Connection: close
Content-Type: text/html; charset=iso-8859-1

--7f0db94b-E--

--7f0db94b-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1497353809998308 1092 (- - -)
Stopwatch2: 1497353809998308 1092; combined=291, p1=208, p2=60, p3=0, p4=0, p5=23, sr=42, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--7f0db94b-Z--

[pdwalker]

increased security or increased convenience, never both.

*sigh*

[shawniverson]

Indeed. My preference is to not have modsecurity around, or at least disabled by default. The problem is that any string can trigger a false positive, as long as it resembles an "attack." Not effective, in my opinion. MailWatch has beefed up its security and has tested its code against OWASP. I am fine with that.