Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
steveharke  
#1 Posted : Wednesday, May 25, 2022 8:13:11 AM(UTC)
steveharke

Rank: Newbie

Groups: Registered
Joined: 5/25/2022(UTC)
Posts: 1
United States
Location: Battle Creek, MI

We have 2 servers involved in evaluating/deploying EmailArchitect server 11.0.

Server 1 (public-facing Windows server 2012 standard, running IIS and company website - Internal machine name=SP04.private.local, publicly accessible as www.public.com).

Server 2 (private Windows server 2019 standard, running EmailArchitect Server - Internal machine name=EA01.private.local, private domain private.local).

Client 1 (android phone, Chrome browser).

Client 2 (RDP session on Windows 2012 standard member of domain private.local, Edge browser).

We went through the install of EmailArchitect on EA01, including enabling webmail. When accessing webmail via http://ea01.private.local/emailarchitect from EA01 desktop, we can login OK, create users, etc.

We added the DNS cname 'EAS' at GoDaddy to point to our public static IP address (EAS.public.com). We then setup a new website on SP04.private.local named EAS.public.com, and added a reverse proxy rule to point incoming traffic with header 'eas.public.com' to EA01.private.local. Initial test resulted in compression needing to be disabled on both SP04 and EA01.

From client 1(android phone), initiate Chrome browser for http://EAS.public.com, which DOES eventually send request to EA01, responding with login dialog. However, any attempt to enter email address or password fails, including logging in as 'system'. We get the same results when testing from Client 2.

Are there permissions on EmailArchitect datafiles/folders that need to change (eg, add user IUSR) to make this work?
ivan  
#2 Posted : Saturday, May 28, 2022 3:23:58 AM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
could you post more detail that how you set the a reverse proxy rule to point?
opi  
#3 Posted : Thursday, April 27, 2023 1:34:42 PM(UTC)
opi

Rank: Newbie

Groups: Registered
Joined: 4/27/2023(UTC)
Posts: 1
United States
Location: California

Thanks: 1 times
I believe i'm seeing the same issue.
I'm running version 2023.11.0.3.5 with webmail on IIS, behind nginx. I get the login prompt right away but can't login as user or system. No error or feedback.

video illustrating is linked:
https://www.loom.com/sha...5b784452aeda0776d5d8c9e2
ivan  
#4 Posted : Thursday, April 27, 2023 6:43:48 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
Originally Posted by: opi Go to Quoted Post
I believe i'm seeing the same issue.
I'm running version 2023.11.0.3.5 with webmail on IIS, behind nginx. I get the login prompt right away but can't login as user or system. No error or feedback.

video illustrating is linked:
https://www.loom.com/sha...5b784452aeda0776d5d8c9e2


Hi, in 11.3.0.5, the web mail added the Content-Security-Policy header to prevent the XSS attack. From your video, it seems that the script was denied to execute. Please press F12 to open the browser developer tool, click "Console", and then press F5 to refresh current page, and try to re-login, then check the output of the console, it should report some error.

To solve it quickly, please contact our support team by the email address in the following page:

https://www.emailarchitect.net/support.aspx

Thank you very much.

thanks 1 user thanked ivan for this useful post.
opi on 4/29/2023(UTC)
ivan  
#5 Posted : Thursday, April 27, 2023 10:30:20 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
The major problem is because the following header added to the response:

content-security-policy: default-src https://original_host/emailarchitect/ 'nonce-nonce70522';frame-src 'self'; base-uri 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; img-src *; style-src 'self' 'unsafe-inline';

It means only the script from https://original_host/emailarchitect/ can be executed.
If you access it from a proxy, the browser requires the script from https://proxy_host/emailarchitect/, then browser will block the script.

There are two solutions:

- Replace default-src https://original_host/emailarchitect/ ' to default-src https://proxy_host/ ' in your proxy, I believe there are some options to replace the response header value in Nginx
- Edit

C:\Program Files (x86)\EmailArchitect\webaccess\common, ajax, m, login\define.asp (4 files) by notepad, you can find the following codes:

Code:

ScriptSrc = ScriptSrc & url
Response.AddHeader "Content-Security-Policy", "default-src " & ScriptSrc & " 'nonce-" & Nonce & "';frame-src 'self'; base-uri 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self';  img-src *; style-src 'self' 'unsafe-inline';"


change it to:
Code:

Response.AddHeader "Content-Security-Policy", "default-src " & ScriptSrc & "  https://proxy_host/ 'nonce-" & Nonce & "';frame-src 'self'; base-uri 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self';  img-src *; style-src 'self' 'unsafe-inline';"


that means the scripts from https://proxy_host/ is allowed as well. chane proxy_host to your proxy address.
Users browsing this topic
Guest (2)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.086 seconds.

EXPLORE TUTORIALS

© All Rights Reserved, AIFEI Software Limited & AdminSystem Software Limited.