Webmail Server help??

[Homercidal]

Thanks for looking. I want to replace my old mail server with a new one. I looked into hmailserver and am trying it out running on an Server 2003 machine for a testbed. Just installed roundcube webmail and it works great ON THAT BOX! Elsewhere on the network, not so good.

When I try to access the server from another machine I get the: 403 you do not have permission to access **** on this server. I have tried several locations and even when specifying the index.php file that is the default, it still gives that error.

I've checked the directory config in httpd.conf and gave Everyone full rights for the /www folder and below.

I'm obviously overlooking something here as this should be pretty easy. I'm accessing the apache server or else I wouldn't be getting the error message. I'm really thinking it must be a user rights issue, but I can't think why it blocks remote users and allows local users...

I gotta go pick up my kid. If anyone can think of anything, I'd appreciate a reply. Thanks!

 

[JeepDiver]

well first suggestion would be to look at the firewall and make sure the incoming port you are using is open. Second, not sure what your situation is, but I gave up on my own mail server a while back and went to google apps. If you don't mind the evil empire cataloging your email, it's just a lot easier.

 

[feinbera]

Does the 403 page have one of those taglines saying what software generated the error page? That should allow you to determine if you're getting blocked at the firewall vs. on the server, although, I think the firewall is extremely unlikely -- you'd just get a connection failure rather than a valid HTTP response with a 403 error in it.

Have you tried just throwing a silly HTML file, "<html><body>hello world!</body></html>" or somesuch, into your www directory, and seeing if that works any better? This will help you determine if your webserver is misconfigured (if you can't even get "hello world" to load), versus the mail software being too smart for its own good ("hello world" works, but the mail program still 403's).

If I had to take a wild-ass guess as a *nix guy, I'd say there's some default setting to not let any web requests through as a band-aid for the fact that Microsoft can't actually write a secure OS.... but, then, that may just be my prejudices as non-Windows guy coming through.

 

[JeepDiver]

If I had to take a wild-ass guess as a *nix guy, I'd say there's some default setting to not let any web requests through as a band-aid for the fact that Microsoft can't actually write a secure OS.... but, then, that may just be my prejudices as non-Windows guy coming through.

Would you really like someone to go pull up all of the patches that *nix has to have to be secure. Not that I am a Windows fanboy, but if you actually belive out of the box *nix is secure, when it is basically an open source OS that hackers have access to the source to look at most of it, then you really have no business talking about computer security.

Now just like a well patched MS OS, a well patched *nix OS is secure, but considering you have to know how to patch the *nix OS, vs letting windows update patch the MS OS, I'd be willing to bet you that a higher % of MS OSes are more secure than *nix

 

[Homercidal]

The firewall was turned off. If it was up and blocking I'd get a could not contact server message,right?

This is a VERY fresh server 2003 trial copy, and literally has nothing installed except what comes with the OS and the updates. I can't think of anything that would block it except the firewall and again, it would prevent Apache from handing the error message out too.

It's always the small detail that gets you. I'm sure that's the case this time too. I just can't wrap my head around what it is. I want to say that either the file permissions are incorrect, or Apache is still configured wrong for remote users (And I don't think it can tell local users from remote users.)

 

[JeepDiver]

well if the firewall is down, then that isn't the issue, but I have got a 403 error from IIS before when port 80 was open, but some other port that the app redirected too wasn't.

The other issue is the UAC access control stuff. If the user that the webserver is using to try to access specfic files or directories doesn't have access then you can get a 403. In IIS it's usually the Network Service Account, but may be something else in Apache.

You can try killing UAC to see if it works, but If so I would reenable and figure out the right permissions for the right account http://www.windowsnetworking.com/kbase/WindowsTips/WindowsVista/AdminTips/Security/DisablingUAC.html

 

[JeepDiver]

also check your windows Event logs, sometimes you will get better messages in there than just the 403 error

 

[tonyp063]

When I try to access the server from another machine I get the: 403 you do not have permission to access **** on this server. I have tried several locations and even when specifying the index.php file that is the default, it still gives that error.

It's not a firewall issue. It's not a UNIX vs Windows (OS) issue.
It's strictly about the webserver configuration

Take a look at the httpd.conf & what the Directory Index is set for, globally.
And look to see if the vhost configuration has an Allow Override, as appropriate.

Make sure you've got an index.(whatever) & the Directory Index line in th conf specifies the .(whatever) as valid.
Also. Check to be sure Apache has appropriate permissions in the webroot.

 

[tonyp063]

Homer, you are on the correct track.
If you are getting a 403 from a remote connection then you know that:

The webserver hears the request & responds. Therefore it's *NOT* a firewall issue.

The issue is the "fresh out of the box" Apache install.
It's set to be pretty anal as to what it ill & won't serve.

I don't do Windows server, so I don't pretend to understand the environment specifically, but in the *NIX world I'd look to be sure the apache UID can read (or write) the webroot, as appropriate.

I'd also look for the directory index rule. It should be something like this.

<Directory "F:/bar/public">
Order Allow,Deny
Allow from All
# Any other directory-specific stuff
</Directory>

 

[Homercidal]

Thanks, Tony. I'm going through the httpd.conf file line by line and refreshing my memory on what each entry does. The error.log file indicates that there is something wrong with the directory statements, but I haven't found it yet. I was in a bit of a rush yesterday and right now I have time to slow down and do some reading. It's a pretty simple webserver setup right now. Just serving webmail. It's a canned install of Apache/roundcube/PHP, etc. With hmailserver handling the mail. I kind of expected it to have all of the basics set up properly. Maybe this isn't one of the basics?

Oh well, time to turn up the Pink Floyd and load up some man pages.

 

[Homercidal]

And of course today all kinds of things seem to getting in the way. I did try messing around with the directory directives and stuff, but to no avail.

I need to better understand how Windows recognizes someone coming into port 80 and who it's defined as, compared with a local user using port 80... I'm stuck because it works great from the machine itself, and from outside it gets to the Apache server and is rejected. It's just a web server. I would think that Windows wouldn't matter as long as the firewall is letting it get to the web server.

 

[feinbera]

Apache allow and deny directives can be applied to specific hosts, IP's or ranges of IP's -- maybe you've got a "deny from all" followed by an "allow from localhost" or "allow from 127.0.0.1" somewhere?

I'd look for anything with "allow" or "deny" in it (case-INsensitive) -- this can be in your httpd.conf itself, in any config directories your apache is also reading from (no idea where these live by default on windows, but the answer is probably a quick google away), or in any .htaccess files in your web root.

Everything you wanted to know about Apache access control, but were afraid to ask: https://httpd.apache.org/docs/2.0/mod/mod_access.html

 

[Homercidal]

The default config had a deny all to start with and then a standard allow for the webmail stuff. I even commented out the deny all and tried it and it was a no go. I'll have another look at htaccess after I reboot for an SQL management studio installation.