Solution at the end
Hi,
On my server I have Postfix + Dovecot + Roundcube.
I don't use rouncube much, it's mainly as a backup in case my other means of access to mail are cut off.
Yesterday I realized that I couldn't connect to it.
I immediately thought that there was probably an update that would be useful to install. So I went from 1.5.2 to 1.6.3 (under Gentoo)
But the problem persists.
A priori, Dovecot is not the cause, since I always manage to connect to it by other means (evolution, mail under Android) whether by imap, imaps, pop or pops.
I can't determine if this is caused by roundcube or a php/apache configuration fault. php could very well be the cause since I probably didn't test roundcube after the last php updates. A problem with sessions ?
When I enter my username in roundcube, I get a red message: "your session is invalid or expired" and I stay on the login page.
I tried several configuration changes, especially imap_auth_type without any results.
I don't know what to test.
Thank you in advance for any help you can give me.
session.log:
[16-Sep-2023 13:51:22 +0000]: <ji7ogr9n> Session destroy: ji7ogr9nj05r6mgdkadfpk0trf
[16-Sep-2023 13:51:22 +0000]: <m323tn23> Session regenerate: ji7ogr9nj05r6mgdkadfpk0trf -> m323tn2327sktkjcvg5opoqs7k
[16-Sep-2023 13:51:22 +0000]: <ji7ogr9n> Aborted session ji7ogr9nj05r6mgdkadfpk0trf; no valid session data founduselogins.log:
[16-Sep-2023 13:51:22 +0000]: <m323tn23> Successful login for chris (ID: 1) from 192.168.5.3 in session m323tn2327sktkjc
config.inc.php:
$config['db_dsnw'] = 'sqlite:////var/lib/roundcube/sqlite.db?mode=0646';
$config['plugins'] = [
'archive',
'zipdownload',
];
$config['skin'] = 'elastic';
$config['create_default_folders'] = true;
$config['spellcheck_dictionary'] = true;
$config['log_logins'] = true;
$config['session_debug'] = true;
$config['imap_auth_type'] = 'PLAIN';
dovecot -n:
#2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 6.1.41-gentoo x86_64 Gentoo Base System release 2.14 ext4
# Hostname: vmserveur.novazur.fr
auth_mechanisms = plain cram-md5 login
auth_username_format = %n
auth_verbose_passwords = sha1:12
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info.log
listen = *
log_path = /var/log/dovecot.log
mail_location = maildir:/var/spool/mail/%n
mail_privileged_group = mail
namespace inbox {
inbox=yes
location =
mailboxDrafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox “Sent Messages” {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = *
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user=postfix
}
}
ssl_cert = </etc/letsencrypt/live/mymailserver/fullchain.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}[/coded]
Edit:
I had completely forgotten that in order to secure my server, I had followed some recommendations without understanding everything, one of which was to add instructions to the header in the Apache virtualhost configuration:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniffAnd by deleting the first line (edit Set-Cookie), the problem disappears.
Sorry for the unnecessary noise.
