Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email.
To get email working again we had to disable rule 949 below:
*******
REQUEST-949-BLOCKING-EVALUATION
The rules in this configuration file blocks traffic that various other configuration files request.
********
However, on Cpanels knowledgebase it states:
*********
Warning:
Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.
*********
While testing in roundcube webmail we got the following when sending email:
Request:
POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
Action Description:
Access denied with code 403 (phase 2).
Justification:
Operator GE matched 5 at TX:anomaly_score.
Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.
Anyone else has this? Any solution?
To get email working again we had to disable rule 949 below:
*******
REQUEST-949-BLOCKING-EVALUATION
The rules in this configuration file blocks traffic that various other configuration files request.
********
However, on Cpanels knowledgebase it states:
*********
Warning:
Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.
*********
While testing in roundcube webmail we got the following when sending email:
Request:
POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
Action Description:
Access denied with code 403 (phase 2).
Justification:
Operator GE matched 5 at TX:anomaly_score.
Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.
Anyone else has this? Any solution?