INBOX empty but properties shows right size and numer of emails

[pmaksimowicz]

Prerequisites

• I have searched for duplicate or closed issues
• I can recreate the issue with all plugins disabled

Describe the issue

I have really weird problem with RC 1.6.8-1 on ArchLinux machine (nginx-mainline 1.27.1-1). I try to build mail server. Right now I have dovecot installed and configured correctly. My users are store in LDAP and I'm able to login - everything is ok. I can read my emails via Thinderbird without a problem.

When I log into my account via Roundcube, I don't see any emails even though RC shows me the correct folder size and number of emails.
My config.inc.php

/*
+-----------------------------------------------------------------------+
| Local configuration for the Roundcube Webmail installation.          |
|                                                                      |
| This is a sample configuration file only containing the minimum      |
| setup required for a functional installation. Copy more options      |
| from defaults.inc.php to this file to override the defaults.          |
|                                                                      |
| This file is part of the Roundcube Webmail client                    |
| Copyright (C) The Roundcube Dev Team                                  |
|                                                                      |
| Licensed under the GNU General Public License version 3 or            |
| any later version with exceptions for skins & plugins.                |
| See the README file for a full license statement.                    |
+-----------------------------------------------------------------------+
*/

$config = [];

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//      or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://roundcube:Passw0rd@localhost/roundcubemail';;

// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'ssl://myhost:993';
// 'tls://localhost:143'

$config['imap_auth_type'] = 'LOGIN';

$config['imap_conn_options'] = array(
  'ssl' => array(
    'verify_peer' => false,
    'verify_peer_name' => false,
  ),
);

// $config['default_folders'] = array('INBOX', 'Inbox.Drafts', 'Inbox.Sent', 'Inbox.spam', 'Inbox.Trash');
// $config['default_folders'] = array('INBOX');
// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
$config['smtp_host'] = 'tls://myhost:587';

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE [ROUNDCUBE.NET](https://roundcube.net/) WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'My new, shiny Roundcube';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = '4amAY/YSU7IbkGu+B7XpQJv8MLTtqAeY';

$config['enable_caching'] = false;
$config['message_sort_limit'] = 5000;


// List of active plugins (in plugins/ directory)
$config['plugins'] = [
//        'archive',
//       'zipdownload',
//      'contextmenu',
//      'globaladdressbook',
//      'swipe',
//      'advanced_search',
//      'removeattachments',
//      'identity_from_directory',
//        'password'
];

// skin name: folder from skins/
// $config['skin'] = 'elastic';
$config['mime_types'] = RCUBE_INSTALL_PATH . 'config/mime.types';
$config['imap_debug'] = true;
$config['smtp_debug'] = true;
$config['imap_log_session'] = true;
$config['sql_debug'] = true;
$config['debug_level'] = 5;

$config['log_driver'] = 'file';
$config['log_dir'] = '/var/log/roundcubemail/';
$config['log_file'] = 'all_logs.txt';


$config['enable_installer'] = false;
$config['enable_caching'] = true;
$config['imap_timeout'] = 30;
$config['imap_force_lsub'] = true;
$config['imap_force_ns'] = true;
$config['imap_log_session'] = true;
$config['imap_debug'] = true;
$config['message_sort_col'] = 'date';
$config['message_sort_order'] = 'DESC';

And I stuck here - why RC do not want to show me my emails?

Thanks for help.

What browser(s) are you seeing the problem on?

Edge, Firefox

What version of PHP are you using?

php-fpm-8.3.11-1

What version of Roundcube are you using?

v1.6.8-1

JavaScript errors

no errors

PHP errors

no errors

[pabzm]

@pmaksimowicz Hi! If the number of messages is correct, then the connection to the IMAP server is probably not the problem.

But to help we need more information. Please check the browser console for errors, or paste its contents (in english language). Maybe that gives a hint.

Also, could you check or upload the all_logs.txt (cleared of private data), and maybe other log files inside the logs/ directory.

[pmaksimowicz]

Hi @pabzm I think I found it. The source of my problem was the nginx configuration. I try to hardening nginx against CSP and X-XSS-Protection with this directive:
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
inside my /etc/nginx/modules/headers.conf
When I commented out this line RC is working fine.
My headers.conffile:

# security headers

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

How can I modify Content-Security-Policy to be more secure? Is it ok to add just unsafe-eval like this?

# security headers

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

[pabzm]

Currently, Roundcube requires script-src to include 'unsafe-inline' 'unsafe-eval'. (This might change in the future, if #9513 goes forward.)

You could attempt to restrict the rules for other sources. MDN has a nice article on how to build a CSP. Beware that all remote sources are required at least for images if you want to allow your users to see "remote objects" in their emails.

We don't (yet) have a suggested CSP to use – but we actually should, so I'll post an issue to remind us. Thank you for inspiring this!

[ozgurkazancci]

Once, I had;

"Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";"

and the logo image in Settings -> Identities -> My Identity -> Signature wasn't appearing at all.

My signature image was appearing as a broken image there.

Just my 2 cents.

[pabzm]

You need to allow blob: for that kind of images.