Roundcube Community Forum
Release Support => Pending Issues => Topic started by: rivimey on September 06, 2019, 07:03:41 PM
-
I have roundcube (was 1.3.8, now 1.3.10) installed on Ubuntu Xenial using Apache/php7.2 talking to dovecot 2.2.22 on localhost.
It was first installed several years ago but has recently stopped working - that is, while I and other users can login and see the list of imap folders, no messages are listed in the summary and no message content is visible. There is a message saying "mailbox is empty". However, I know I have large numbers of mails in these folders because I can see them in Thunderbird.
Sending a test mail works fine (in that the message is sent) except that the process hangs, presumably while trying to add the sent message to the imap sent mail folder.
I have enabled logging in config.inc.php and bumped the log level to 9 (not sure of range?) and can see that the imap server accepts the login and returns a list of subscribed folders. However after that nothing else is in the log.
Since this issue started I have updated the roundcube software to 1.3.10 (changelog) and checked config is sane, but this has not helped. I am using Firefox, but have checked it fails on Chrome as well.
I have wondered if there was some sort of permissions problem but, given Thunderbird is fine, what/where would it be?
Updated:
- I have tried moving all plugins from the 'active' list to the 'installed' list to see if that helped, but it doesn't.
- I can supply elements of the config if requested but would prefer not to spam this list unnecessarily!
-
Enable imap_debug and post the log when you login.
-
I have removed some things for privacy, including replacing session vars= and abbreviating the list of folders.
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [2] SELECT * FROM `users` WHERE `user_id` = '1';
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0001 ID ("name" "Roundcube" "version" "1.3.10" "php" "7.2.21-1+ubuntu16.04.1+deb.sury.org+1" "os" "Linux" "command" "/mail/?_task=mail&_mbox=GER")
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * ID ("name" "Dovecot")
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0001 OK ID completed.
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0002 AUTHENTICATE CRAM-MD5
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: + PDE3MTUzOTQzMTAxNDkyODYuMTU2NzgwOTI5NkBncmV5YXJlYT4=
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: ****** [62]
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0002 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0003 LIST (SUBSCRIBED) "" "*"
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." INBOX
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Lists
...[snip]...
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Sent
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Drafts
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Work
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." GER
...[snip]...
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Party
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0003 OK List completed (0.000 + 0.000 secs).
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [3] UPDATE `session` SET `changed` = now(), `vars` = '..**..' WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0004 LOGOUT
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * BYE Logging out
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0004 OK Logout completed.
Sep 6 23:34:56 greyarea roundcube: <59a7s9ff> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';
-
I don't see it trying to fetch messages, is there any other IMAP logs or is that it?
-
That's it. As you say, it doesn't appear to try fetching messages, but they are there to fetch.
-
If you search for messages do any show up?
-
I've just tried that. Selected amy INBOX folder on the LHS, then entered a common word from subject lines in the search box. No activity whatsoever in the logs (beyond that reported for login).
-
I tried putting print statements as the first lines in the files 'list.inc' and 'folder.inc' of the form:
rcube::write_log('session', 'list.inc: A');
expecting to see them turn up in the log output, but they do not. Is the call incorrect, or is something else happening?
-
Are there any errors in your browser JS console?
-
Yes, there are two security-related issues reported, as in this pic.
-
Subsequent to initial page load, I also get a permission denied to access property "dispatchEvent" on cross-origin object, in inject.js
-
Made some progress: I looked for X-Frame-options in the browser headers, saw it was set to DENY, checked the php source, and thus found config item "x_frame_options". Scanning source again, I saw a setting in the new defaults.inc.php, which when added to my own config.inc.php:
$config['x_frame_options'] = 'sameorigin';
results in the folder message list being displayed, for all folders.
However, I still do not get the message itself displayed -- there are still cross-origin errors as in the pic attached.
-
More investigation: the X-Frame-Options: DENY is being set in /etc/apache2/conf-enabled/ssl-params.conf with the lines:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
This is in accordance with advice given by Scott Helme in: https://scotthelme.co.uk/hardening-your-http-response-headers/
I have edited that config file and restarted apache & php-fpm, and then verified that the new frame header is present - it was. However, what I thought in my earlier post was a solution (frame option sameorigin) turns out not to be the case. What has actually happened is that I had the developer tools window open. With it open (and using sameorigin) roundcube works properly. With the dev tools window closed (and logout/re-login) it is as broken as it used to be.
So it looks like a browser interaction issue???
-
Roundcube wont work with the "X-Frame-Options DENY" option. That will have to be disabled in order for Roundcube to work.
-
Ok, thanks.
Is there any way RC Javascript could be modified to detect this situation and flag it up in a more helpful way?
-
I don't think so, but I agree it would be nice for a cleaner error message for this problem.