Roundcube unable to send images

roundcube 1.4.11
installed plugins filesystem_attachments 1.0 , jqueryui 1.12
MariaDB 10.3.28
CentOS 8.5.2111
Apache 2.4.37
________________
Unable to send email with embedded images or attached images. Also unable to save to Drafts such emails.
No error messages, just a small notification that constantly spins "Sending..." or "Saving ..."
Hitting Cancel button does not result in anything, can only close the window.

What am I missing in my configuration?

 

What do mail logs and other logs show? Is disk full or disk quota full? Are e-mails with no attatchments getting sent OK?

 

roundcube_access.log and roundcube_error.log are empty.
secure and mailllog don't show anything related to emailing attempt, it doesn't even show in messages.

What I can add is that if in plain text mode a file attachment can be sent, but if in HTML mode just get spinning wheels.

 

So this is not about e-mail attatchments, but you write HTML format e-mails and include images and files in the HTML? I have not tried to send HTML e-mail and have configured my e-mail clients to only show text, so I am unfamiliar with this concept.
Where are you inserting the image files from?
I just tried from my Roundcube sending HTML e-mail with inserted image file. It works OK.

 

I tried with copy-and-paste into the email body and with attaching an image.
I'm stumped. Must be something wrong with the way the HTML is getting formatted but what? Is the problem with roundcube? apache? a library component? No error is being thrown, or at least not being thrown that the system catches.

 

When i start my message , the following shows up:
DevTools failed to load source map: Could not load content for https://emailat.1234.xyz/roundcube/program/js/tinymce/skins/lightgray/skin.min.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

then after waiting a couple of minutes so that it tries to save a draft , this error:
/roundcube/?_task=mail&_unlock=loading1652716032435&_framed=1&_lang=en_US:1
POST https://emailat.1234.xyz/roundcube/?_task=mail&_unlock=loading1652716032435&_framed=1&_lang=en_US 403 (Forbidden)

The file skin.min.css does exist:
[root@emailat lightgray]# pwd
/var/www/html/roundcube/program/js/tinymce/skins/lightgray
[root@emailat lightgray]# ls -ltr
total 84
-rw-r--r--. 1 apache apache 27895 Jul 12 2020 skin.mobile.min.css
-rw-r--r--. 1 apache apache 44049 Jul 12 2020 skin.min.css
-rw-r--r--. 1 apache apache 234 Jul 12 2020 content.mobile.min.css
-rw-r--r--. 1 apache apache 4017 Jul 12 2020 content.min.css
-rw-r--r--. 1 apache apache 3611 Jul 12 2020 content.inline.min.css
drwxr-xr-x. 2 apache apache 211 Feb 8 2021 fonts
drwxr-xr-x. 2 apache apache 77 May 24 2021 img

 

[root@emailat httpd]# grep lightgr *_log
ssl_access_log:192.168.1.16 - - [16/May/2022:08:44:12 -0700] "GET /roundcube/program/js/tinymce/skins/lightgray/skin.min.css?s=40091100 HTTP/1.1" 200 44049
ssl_access_log:192.168.1.16 - - [16/May/2022:08:44:12 -0700] "GET /roundcube/program/js/tinymce/skins/lightgray/content.min.css?s=40091100 HTTP/1.1" 200 4017
ssl_access_log:192.168.1.16 - - [16/May/2022:08:44:12 -0700] "GET /roundcube/program/js/tinymce/skins/lightgray/fonts/tinymce-small.woff HTTP/1.1" 200 9380
ssl_access_log:192.168.1.16 - - [16/May/2022:08:44:29 -0700] "GET /roundcube/program/js/tinymce/skins/lightgray/skin.min.css.map HTTP/1.1" 404 196
ssl_request_log:[16/May/2022:08:44:12 -0700] 192.168.1.16 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /roundcube/program/js/tinymce/skins/lightgray/skin.min.css?s=40091100 HTTP/1.1" 44049
ssl_request_log:[16/May/2022:08:44:12 -0700] 192.168.1.16 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /roundcube/program/js/tinymce/skins/lightgray/content.min.css?s=40091100 HTTP/1.1" 4017
ssl_request_log:[16/May/2022:08:44:12 -0700] 192.168.1.16 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /roundcube/program/js/tinymce/skins/lightgray/fonts/tinymce-small.woff HTTP/1.1" 9380
ssl_request_log:[16/May/2022:08:44:29 -0700] 192.168.1.16 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /roundcube/program/js/tinymce/skins/lightgray/skin.min.css.map HTTP/1.1" 196

the error.log and www-error.log in /var/log/php-fpm are empty. Here is the php.conf , i don't see mention of log level.
[root@emailat php-fpm]# cat /etc/httpd/conf.d/php.conf
#
# The following lines prevent .user.ini files from being viewed by Web clients.
#
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
</Files>

#
# Allow php to handle Multiviews
#
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#

# mod_php options
<IfModule mod_php7.c>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
<FilesMatch \.(php|phar)$>
SetHandler application/x-httpd-php
</FilesMatch>

#
# Uncomment the following lines to allow PHP to pretty-print .phps
# files as PHP source code:
#
#<FilesMatch \.phps$>
# SetHandler application/x-httpd-php-source
#</FilesMatch>

#
# Apache specific PHP configuration options
# those can be override in each configured vhost
#
php_value session.save_handler "files"
php_value session.save_path "/var/lib/php/session"
php_value soap.wsdl_cache_dir "/var/lib/php/wsdlcache"

#php_value opcache.file_cache "/var/lib/php/opcache"
</IfModule>

# Redirect to local php-fpm if mod_php (5 or 7) is not available
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
</IfModule>
</IfModule>

 

Should I just give up on getting roundcube to work properly?

 

That is for you to decide. How important is it to send HTML e-mails?
I do not send e-mails in HTML-format, and do not want to receive them.
If you want to work with finding out why your installation works strangely, this may help: https://www.php.net/manual/en/function.error-reporting.php

 

Here is what shows in Debug Console when I try saving an HTML draft

nothing shows up in the php-fpm/error.log or www-error.log,
httpd/ssl_error_log does have some entries:

[Fri May 20 08:24:35.490601 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Rule 55c97961caa0 [id "932100"][file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "122"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.490763 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Rule 55c979628890 [id "932105"][file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "158"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.496492 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Warning. Pattern match "\\\\b(?:if(?:/i)?(?: not)?(?: exist\\\\b| defined\\\\b| errorlevel\\\\b| cmdextversion\\\\b|(?: |\\\\().*(?:\\\\bgeq\\\\b|\\\\bequ\\\\b|\\\\bneq\\\\b|\\\\bleq\\\\b|\\\\bgtr\\\\b|\\\\blss\\\\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\\\\(.*\\\\)\\\\s?do)" at ARGS:_message. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "412"] [id "932140"] [msg "Remote Command Execution: Windows FOR/IF Command Found"] [data "Matched Data: if they try to induce a sense of urgency no matter how<br/>&lsquo official&rsquo they seem.<br/><br/>&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp #4<br/><br/>&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp use a virtual private network(vpn) on all public wifi connections <br/><br/>&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp vpns like bitdefender add an extra layer of protection between your<br/>devices and the internet. most public hotspots offer little privacy<br/>..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [ [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.526762 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Rule 55c978dff9d0 [id "941160"][file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "199"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.534300 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Rule 55c978e23d00 [id "941200"][file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "299"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.550924 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Rule 55c978e86d48 [id "941350"][file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "573"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.587450 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3

[Fri May 20 08:24:35.587667 2022] [:error] [pid 657595:tid 139811008456448] [client 192.168.1.16:63519] [client 192.168.1.16] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"], referer: https://emailat.example.tld/roundcube/?_task=mail&_action=compose&_id=10610413006287b2a8803c3​

httpd/modsec_audit.log shows:

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.1.16] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.1.16] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "emailat.example.tld"] [uri "/roundcube/"] [unique_id "Yoeys6MGgFrV2WmFcQDbpQAAANU"]
Action: Intercepted (phase 2)
Stopwatch: 1653060275459076 128887 (- - -)
Stopwatch2: 1653060275459076 128887; combined=117517, p1=523, p2=116860, p3=0, p4=0, p5=134, sr=139, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache
Engine-Mode: "ENABLED"​

So there is something going on with the Apache. Seems to be in the modsecurity. Which i have a feeling is not working properly as the 403 error is not getting sent back via the main branch of Apache as the browser does not give the 403 error nor is it in the httpd log.

 

i think changing the mod_security.conf so that SecRequestBodyAccess Off has the setup working as anticipated.