efa-project.org

I'd been using EFA for a couple of years now successfully upgrading and using Active Directory for authentication in MailWatch to view quarantined emails, release them, etc.

Well the last upgrade crashed out to the point I decided to download and install from scratch the latest VMware OVA of eFa to replace the old one.

I went through and made all the same changes to the config.php as before from: viewtopic.php?f=14&t=1484.
Made changes to mailwatch_ldap_sync.sh that I found in the new path of /usr/local/bin/mailwatch/tools/LDAP/ to match.

Made sure I installed php-ldap (yum install php-ldap)
Made sure I installed the openldap-clients (yum install openldap-clients)

I ran the script above and my database populated properly.

But when I make the last change to conf.php of I can no longer login to the main MailWatch page with the root account or another I created that is the main user, both defined as Administrators in the MySQL database. I cannot login as any of my AD users either.
I receive:

Forbidden
You don't have permission to access /mailscanner/checklogin.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use the ErrorDocument to handle the request.

If I change the setting back to then I can successfully login with only the root and original or accts I create and none of the AD/LDAP accounts that were imported.
For those I get:
Bad Username or Password

Any ideas?
Thanks, Jeff

Please do the following:

1) What error message are you getting in /var/log/httpd logs when you see the forbidden message?

2) Try turning off mod_security in EFA-Configure. 11) Apache Settings --> 2) Modsecurity

Since I hate log files , I did the 2nd step, Disabled Modsecurity. I then set LDAP to true & both local and AD accounts now work, thank you!

At which version did that setting get added?

This time around, I finally found the setting in config.php that allows you to aggregate all the email addresses in Exchange bound to a single account so they are included together in one quarantine report, that is brilliant!!!

Thank you again for all the work you all do with this appliance!
Jeff

BTW, here is what the last entry in modsec_audit.log says before I disabled modsecurity in Apache:

--7f0db94b-A--
[13/Jun/2017:07:36:49 --0400] WT-OUQoAACMAAHD5BfgAAAAD 84.201.133.68 58331 10.0.0.35 443
--7f0db94b-B--
GET /robots.txt HTTP/1.1
Host: <my EFA>
Connection: Keep-Alive
user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
from: support@search.yandex.ru

--7f0db94b-F--
HTTP/1.1 403 Forbidden
Content-Length: 212
Connection: close
Content-Type: text/html; charset=iso-8859-1

--7f0db94b-E--

--7f0db94b-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1497353809998308 1092 (- - -)
Stopwatch2: 1497353809998308 1092; combined=291, p1=208, p2=60, p3=0, p4=0, p5=23, sr=42, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--7f0db94b-Z--

increased security or increased convenience, never both.

*sigh*

Indeed. My preference is to not have modsecurity around, or at least disabled by default. The problem is that any string can trigger a false positive, as long as it resembles an "attack." Not effective, in my opinion. MailWatch has beefed up its security and has tested its code against OWASP. I am fine with that.