stumped: messages not shown, send mail hangs, but Thunderbird A-OK.

rivimey · September 06, 2019, 07:03:41 PM

I have roundcube (was 1.3.8, now 1.3.10) installed on Ubuntu Xenial using Apache/php7.2 talking to dovecot 2.2.22 on localhost.

It was first installed several years ago but has recently stopped working - that is, while I and other users can login and see the list of imap folders, no messages are listed in the summary and no message content is visible. There is a message saying "mailbox is empty". However, I know I have large numbers of mails in these folders because I can see them in Thunderbird.

Sending a test mail works fine (in that the message is sent) except that the process hangs, presumably while trying to add the sent message to the imap sent mail folder.

I have enabled logging in config.inc.php and bumped the log level to 9 (not sure of range?) and can see that the imap server accepts the login and returns a list of subscribed folders. However after that nothing else is in the log.

Since this issue started I have updated the roundcube software to 1.3.10 (changelog) and checked config is sane, but this has not helped. I am using Firefox, but have checked it fails on Chrome as well.

I have wondered if there was some sort of permissions problem but, given Thunderbird is fine, what/where would it be?

Updated:
- I have tried moving all plugins from the 'active' list to the 'installed' list to see if that helped, but it doesn't.
- I can supply elements of the config if requested but would prefer not to spam this list unnecessarily!

SKaero · September 06, 2019, 08:27:30 PM

Enable imap_debug and post the log when you login.

rivimey · September 07, 2019, 08:09:07 AM

I have removed some things for privacy, including replacing session vars= and abbreviating the list of folders.

Code Select


Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [2] SELECT * FROM `users` WHERE `user_id` = '1';
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0001 ID ("name" "Roundcube" "version" "1.3.10" "php" "7.2.21-1+ubuntu16.04.1+deb.sury.org+1" "os" "Linux" "command" "/mail/?_task=mail&_mbox=GER")
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * ID ("name" "Dovecot")
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0001 OK ID completed.
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0002 AUTHENTICATE CRAM-MD5
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: + PDE3MTUzOTQzMTAxNDkyODYuMTU2NzgwOTI5NkBncmV5YXJlYT4=
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: ****** [62]
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0002 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0003 LIST (SUBSCRIBED) "" "*"
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." INBOX
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Lists
...[snip]...
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Sent
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Drafts
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Work
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." GER
...[snip]...
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * LIST (\Subscribed) "." Party
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0003 OK List completed (0.000 + 0.000 secs).
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [3] UPDATE `session` SET `changed` = now(), `vars` = '..**..' WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] C: A0004 LOGOUT
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: * BYE Logging out
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [B0B5] S: A0004 OK Logout completed.
Sep  6 23:34:56 greyarea roundcube: <59a7s9ff> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = '59a7s9ff12o53bhjmv50st2dmg8cr7h5';

SKaero · September 07, 2019, 12:42:43 PM

I don't see it trying to fetch messages, is there any other IMAP logs or is that it?

rivimey · September 07, 2019, 06:02:12 PM

That's it. As you say, it doesn't appear to try fetching messages, but they are there to fetch.

SKaero · September 08, 2019, 12:44:48 PM

If you search for messages do any show up?

rivimey · September 08, 2019, 12:58:49 PM

I've just tried that. Selected amy INBOX folder on the LHS, then entered a common word from subject lines in the search box. No activity whatsoever in the logs (beyond that reported for login).

rivimey · September 08, 2019, 07:58:44 PM

I tried putting print statements as the first lines in the files 'list.inc' and 'folder.inc' of the form:

Code Select

rcube::write_log('session', 'list.inc: A');

expecting to see them turn up in the log output, but they do not. Is the call incorrect, or is something else happening?

SKaero · September 09, 2019, 09:21:46 AM

Are there any errors in your browser JS console?

rivimey · September 09, 2019, 09:37:49 AM

Yes, there are two security-related issues reported, as in this pic.

rivimey · September 09, 2019, 09:43:26 AM

Subsequent to initial page load, I also get a permission denied to access property "dispatchEvent" on cross-origin object, in inject.js

rivimey · September 09, 2019, 10:19:01 AM

Made some progress: I looked for X-Frame-options in the browser headers, saw it was set to DENY, checked the php source, and thus found config item "x_frame_options". Scanning source again, I saw a setting in the new defaults.inc.php, which when added to my own config.inc.php:

$config['x_frame_options'] = 'sameorigin';

results in the folder message list being displayed, for all folders.

However, I still do not get the message itself displayed -- there are still cross-origin errors as in the pic attached.

rivimey · September 09, 2019, 10:44:13 AM

More investigation: the X-Frame-Options: DENY is being set in /etc/apache2/conf-enabled/ssl-params.conf with the lines:

Code Select

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

This is in accordance with advice given by Scott Helme in: https://scotthelme.co.uk/hardening-your-http-response-headers/

I have edited that config file and restarted apache & php-fpm, and then verified that the new frame header is present - it was. However, what I thought in my earlier post was a solution (frame option sameorigin) turns out not to be the case. What has actually happened is that I had the developer tools window open. With it open (and using sameorigin) roundcube works properly. With the dev tools window closed (and logout/re-login) it is as broken as it used to be.

So it looks like a browser interaction issue???

SKaero · September 09, 2019, 11:31:38 PM

Roundcube wont work with the "X-Frame-Options DENY" option. That will have to be disabled in order for Roundcube to work.

rivimey · September 10, 2019, 06:28:00 PM

Ok, thanks.
Is there any way RC Javascript could be modified to detect this situation and flag it up in a more helpful way?