0

Machine details:

  • Ubuntu 20.04.3 LTS
  • Apache2 2.4.41
  • Mariadb 15.1 (don't think it's pertinent)

I recently followed a guide to install modoboa (mail server) on a fresh server. The default setup install with nginx which at the end did work (at least the page mail.mysite.com loaded).

After disabling nginx and enabling apache2, I created /etc/apache2/sites-enabled/modoboa.conf as

<VirtualHost *:80>
  ServerName mail.mysite.com
  DocumentRoot /srv/modoboa/instance/

Alias /media/ /srv/modoboa/instance/media/
  <Directory /srv/modoboa/instance/media>
    Require all granted
  </Directory>


Alias /sitestatic/ /srv/modoboa/instance/sitestatic/
  <Directory /srv/modoboa/instance/sitestatic>
    Require all granted
  </Directory>


WSGIScriptAlias / /srv/modoboa/instance/instance/wsgi.py


Pass Authorization header to enable API usage:


WSGIPassAuthorization On
</VirtualHost>

Following a certbot command sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email me@gmail.com -d mail.mysite.com the following was generated:

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
  ServerName mail.mysite.com
  DocumentRoot /srv/modoboa/instance/

Alias /media/ /srv/modoboa/instance/media/
  <Directory /srv/modoboa/instance/media>
    Require all granted
  </Directory>


Alias /sitestatic/ /srv/modoboa/instance/sitestatic/
  <Directory /srv/modoboa/instance/sitestatic>
    Require all granted
  </Directory>


WSGIScriptAlias / /srv/modoboa/instance/instance/wsgi.py


Pass Authorization header to enable API usage:


WSGIPassAuthorization On


SSLCertificateFile /etc/letsencrypt/live/mail.mysite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.mysite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
</VirtualHost>
</IfModule>

Now when I try to connect to mail.mysite.com I just get a 403 forbidden error. Looking into /var/log/apache2/error.log I see:

[Thu Aug 19 20:52:04.159144 2021] [core:notice] [pid 6213] AH00094: Command line: '/usr/sbin/apache2'
[Thu Aug 19 20:52:06.296969 2021] [authz_core:error] [pid 6216] [client 74.206.137.114:49866] AH01630: client denied by server configuration: /srv/modoboa/instance/instance/wsgi.py

Looking around I saw things like this SF question. Following those I did change what I had before Order deny,allow Allow from all to the setup shown above, yet I still have the same error.

Looking with ls-ls /srv/ I see drwxr-xr-x 7 modoboa modoboa 4096 Aug 19 19:42 modoboa which I believe shows modoboa can do it's own thing fine.

Given this worked when nginx was enabled, I feel like it's something to do with my apache2 configs, but I really just can't tell what it is. If anyone has some insight on the matter I would greatly appreciate it.

Ronan
  • 101

1 Answers1

0

Looks like you are missing this definition inside your vhost configs

  <Directory /srv/modoboa/instance/instance>
    Require all granted
  </Directory>

I would also not count on the user permissions being modoboa:modoboa for files, which apache needs to serve. You could change them to the default ones.

chown -R www-data:www-data /srv/modoboa
Alex
  • 296