top646.ph login.REGISTER NOW GET FREE 888 PESOS REWARDS!

papapup
(@papapup)

3 months ago
Hi there,
I am getting HTML emails blocked by WordFence.

Let me provide you the set up environment.
- WordFence is installed together with WordPress on Domain A with it own directory (\Root\DomainA)
- There is also another WordFence install with WordPress on Domain B with its own directory (\Root\DomainB)
- RoundCube is installed on Domain C with it own directory (\Root\DomainC)
- Both Domain A, Domain B, Domain C is hosted in the same server which the primary Domain is D where D does not have any website at all.
What we know during our diagnostic.
- When RoundCube on Domain C gets a email that needs to Reply to or Forward to, on click “send” we get the a prompt from RoundCube (see ‘Error Message.png’ on Screenshots on MS OneDrive for WordFence)
- Further to the above, when we tries to “Open in New Window” the email for reply on RoundCube, a pop-up windows will appear (see “Error Pop-Up Window Message.png” on Screenshots on MS OneDrive for WordFence)
- With that, it prompted us to check on WordFence on Domain A and Domain. We only found that Domain A’s WordFence Live Traffic that it was blocking it but not in Domain B. (See “WordFence Live Traffic Details.png” on Screenshots on MS OneDrive for WordFence)
- When we whitelist it, the problem resolved. Whitelisting only happen on Domain A. Domain B was not detecting it therefore there wasn’t anything to whitelist.
- When we remove the whitelist on Domain A, Domain B starts blocking it and we will need to whitelist it on Domain B. There is no need to whitelist it on Domain A.
- The emails are HTML emails that originates from Hotmail.com/Outlook.com or HTML emails generated using Microsoft Outlook 365 Email Clients. Other HTML emails originating from Google Gmail or HTML emails generated using IOS mail application appears to be no issue. Plain Text Emails are not affected.
- Further to it, without whitelisting it, when we check the HTML code on the Email, we find the following HTML code are the ones that caused the blocking
```
<style type="text/css">@font-face
               { font-family: "Cambria Math"; }
@font-face
               { font-family: DengXian; }
@font-face
               { font-family: Aptos; }
@font-face
               { font-family: "Gill Sans MT"; }
@font-face
               { font-family: Tahoma; }
@font-face
               { font-family: "@DengXian"; }

#replybody1 p.MsoNormal, #replybody1 li.MsoNormal, #replybody1 div.MsoNormal
               { margin: 0cm; font-size: 12.0pt; font-family: "Aptos",sans-serif; mso-ligatures: standardcontextual; }
#replybody1 span.EmailStyle17
               { mso-style-type: personal-compose; font-family: "Aptos",sans-serif; color: windowtext; }
#replybody1 .MsoChpDefault
               { mso-style-type: export-only; }
@page WordSection1
               { size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
#replybody1 div.WordSection1
               {}</style>
```
The question now is
- What does not make sense, why would WordFence installed with WordPress on Domain A would blocked something on Domain C?
Or it is something else?

Appreciate assistance.

Thank you.
- This topic was modified 3 months ago by papapup. Reason: Additional Critical Missing Information to Share

Viewing 4 replies - 1 through 4 (of 4 total)

Thread Starter papapup
(@papapup)

3 months ago
Details in this reply has been added to the above
- This reply was modified 3 months ago by papapup.
Plugin Support wfpeter
(@wfpeter)

3 months ago
Hi @papapup, thanks for the extremely detailed explanation of how this is configured.

I’ve only seen Roundcube being blocked by Wordfence on one other occasion, but it was down to being a custom installation inside the root web folder, similar to yours rather than being available through cPanel or similar. I appreciate you’ve separated the domains into their own folders but Wordfence may be configured to run before any PHP is executed on the entire root folder and all child folders.

The reason why this might have happened is because when Wordfence Extended Protection is turned on, the .htaccess or .user.ini inside the root folder may have auto_prepend_file = '/your/path/to/wordfence-waf.php' inside it rather than inside the /DomainA folder only. This line of code tells Wordfence to run before any PHP is served to the browser so might indeed be running before Roundcube runs too.

You may notice simply removing that line from the appropriate file in the root folder and pasting it into its own .htaccess or .user.ini inside /DomainA will solve the problem. Keep the path to the file itself the same otherwise you could encounter blank pages or 500 errors when trying to load the site. Take a full backup if you’re uncertain about any of this beforehand.

If you’d prefer not to change this, there was also a resolution using Learning Mode in the other customer’s case that I’ll place below:

I turned Learning mode on, hit save button, then logged into RoundCube and forwarded a few messages. Then made Wordfence back to “Enable and Protecting” and hit save button again. E-mails are being forwarded as they should.

I hope that helps you out!
Peter.
- This reply was modified 3 months ago by wfpeter.
- This reply was modified 3 months ago by wfpeter. Reason: Removed mention of relative path as this isn't applicable in auto_prepend_file, it's always the full path to the file
Thread Starter papapup
(@papapup)

2 months, 4 weeks ago
Happy Day @wfpeter ,

Thank you for the update and recommended approaches.

We have checked that each Domain A, Domain B and Domain C has its own .htaccess

Domain A & B as below. Where else Domain C’s .htaccess with regards to RoundCube which I am not publishing here.
```
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/pathto/theDomain/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/pathto/theDomain/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
```
For Domain D, we have check that there isn’t any ,htaccess at the /home/pathto directory. However, there is one under the /home/pathto/public_html where typically Domain D being the primary domain is assigned as below
```
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://DomainD.com/$1 [R,L]

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
```
Where Wordfence is installed, Domain A and Domain B has its own user.ini
```
; Wordfence WAF
auto_prepend_file = '/home/pathto/theDomain/wordfence-waf.php'
; END Wordfence WAF
```
Can I say in conclusion, there shouldn’t be anything that could redirect it to WordFence from RoundCube?

While the “learning mode” provide the solution to it, we didn’t experience any of these for 4 years until now. Therefore it did prompt us to do a major drill down to this matter leading towards WordFence prompting the following code being blocked as a potential malicious XSS Cross Site Scripting
```
<style type="text/css">@font-face
               { font-family: "Cambria Math"; }
@font-face
               { font-family: DengXian; }
@font-face
               { font-family: Aptos; }
@font-face
               { font-family: "Gill Sans MT"; }
@font-face
               { font-family: Tahoma; }
@font-face
               { font-family: "@DengXian"; }

#replybody1 p.MsoNormal, #replybody1 li.MsoNormal, #replybody1 div.MsoNormal
               { margin: 0cm; font-size: 12.0pt; font-family: "Aptos",sans-serif; mso-ligatures: standardcontextual; }
#replybody1 span.EmailStyle17
               { mso-style-type: personal-compose; font-family: "Aptos",sans-serif; color: windowtext; }
#replybody1 .MsoChpDefault
               { mso-style-type: export-only; }
@page WordSection1
               { size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
#replybody1 div.WordSection1
               {}</style>
```
Looking at the above, it sure don’t look malicious. Can you confirmed?

Appreciate your input for this as security is utmost important to us and everyone should! ??
Thread Starter papapup
(@papapup)

2 months, 3 weeks ago

Hi @wfpeter ,

Can you help on the above to confirm our settings are ok? Anyone from Wordfence can help?

Appreciate it.

Regards,

Allan – @papapup

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.