RT 4.0.8 - rt-mailgate hangs on authenticated RT server

Duncan_Napier1 · June 17, 2013, 10:06pm

Hello,

I know this has been raised before and a few solutions have been given, but it seems that all of them are different and none of them seem to work on my system.

I am running CAS-authenticed RT 4.0.8 on an CentOS 6.2/Apache2.2.24/Postfix-2.2.6 and everything seems to run fine. I now want to implement rt-mailgate. The mailer etc all works fine, but when I send emails to the aliases for correspond/comment, the maillog shows

“(temporary failure. Command output: An Error Occurred xxx 302 Found )”

Running

“/usr/local/rt/bin/rt-mailgate --queue general --action correspond --url http://www.mysite.com --debug”

just hangs indefinitely with no debug message.

So it appears that the MTA hangs because the system is awaiting CAS authentication.

I understand that to get around this, you open up areas of the server to the the localhost (127.0.0.1) so no authentication is required. I have tried a bunch of fixes, but none seem to work. They seem require NoAuth areas of the rt directory have authentication disabled using Apache Location or Directory directives, as in:

Begin Code Fragment

<LocationMatch /share/html/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

<LocationMatch /share/html/REST/1.0/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

End Code Fragment

My rt.conf folder looks like this

Begin rt.conf

AddDefaultCharset UTF-8

Alias /rt/NoAuth/images /usr/local/rt/share/html/NoAuth/images/
ScriptAlias / /usr/local/rt/sbin/rt-server.fcgi/

DocumentRoot "/usr/local/rt/share/html"

<Directory /usr/local/rt>
Options FollowSymLinks
AllowOverride AuthConfig
AuthType CAS

<Location /rt>
    Order allow,deny
    Allow from all

    Options +ExecCGI
    AddHandler fcgid-script fcgi
</Location>

<LocationMatch /share/html/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

<LocationMatch /share/html/REST/1.0/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

End rt.conf

Any suggestions?

                             Regards,

                             Duncan.

Thomas_Sibley · June 17, 2013, 10:21pm

I understand that to get around this, you open up areas of the server to the the localhost (127.0.0.1) so no authentication is required. I have tried a bunch of fixes, but none seem to work. They seem require NoAuth areas of the rt directory have authentication disabled using Apache Location or Directory directives, as in:

#############

Begin Code Fragment

#############
<LocationMatch /share/html/NoAuth>
Satisfy Any
Allow from all
<LocationMatch /share/html/REST/1.0/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

Your Apache configuration directives are wrong. Location/LocationMatch
take a URL location, not a directory path (that’s what
Directory/DirectoryMatch are for). You also aren’t using the matching
power of LocationMatch, and don’t need it, so you want something like:

<Location /REST/1.0/NoAuth/mail-gateway>
Satisfy any
Allow from 127.0.0.1

You don’t need to allow /NoAuth for mailgate.

Duncan_Napier1 · June 18, 2013, 4:18pm

Message: 6
Date: Mon, 17 Jun 2013 15:21:19 -0700
From: Thomas Sibley trs@bestpractical.com
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.8 - rt-mailgate hangs on authenticated
RT server
Message-ID: 51BF8BDF.407@bestpractical.com
Content-Type: text/plain; charset=UTF-8

I understand that to get around this, you open up areas of the
server to the the localhost (127.0.0.1) so no authentication is
required. I have tried a bunch of fixes, but none seem to work.
They seem require NoAuth areas of the rt directory have
authentication disabled using Apache Location or Directory
directives, as in:

#############

Begin Code Fragment

#############
<LocationMatch /share/html/NoAuth>
Satisfy Any
Allow from all
<LocationMatch /share/html/REST/1.0/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>
Your Apache configuration directives are wrong.
Location/LocationMatch
take a URL location, not a directory path (that’s what
Directory/DirectoryMatch are for). You also aren’t using the
matching
power of LocationMatch, and don’t need it, so you want something
like:

<Location /REST/1.0/NoAuth/mail-gateway>
Satisfy any
Allow from 127.0.0.1

You don’t need to allow /NoAuth for mailgate.

Hi Thomas,

Thanks very much. I did succeed in making it work, but still using LocatioMatch directive. I changed

#############

Begin Code Fragment

#############
<LocationMatch /share/html/NoAuth>
Satisfy Any
Allow from all
<LocationMatch /share/html/REST/1.0/NoAuth>
    Satisfy Any
    Allow from all
</LocationMatch>

by changing the above fragment (and putting in required quotes “” that were missing! Doh!) to

<LocationMatch “/NoAuth”>
Satisfy Any
Allow from all

<LocationMatch "/REST">
    Satisfy Any
    Allow from all
</LocationMatch>

It works fine now and I’m not going to mess with it (the cardinal rule of RT - don’t mess with what works!!!), unless you have some additional comments or advice about it.

                             Regards,

                             Duncan.

Duncan_Napier1 · June 25, 2013, 9:15pm

Hi,

I want everyone so see custom fields, including Self-Serve requesters.

I’m running RT 4.0.8 on CentOS 6.2/Apache2.2.24/Postfix-2.2.6. I have everything set up and have implelented some custom fields through the Custom Fields menu. Administrators can see custom fields fine. But unpriviliged users (externally authenticated users in CAS created at their first login cannot. I have Globalm Everyone and Unpriviliged General Rights → SeeCustomField , Custom Fields-Everyone/Unprivileged still no luck.

Strangely enough only one user who used to be priviliged/administrator but now is unpriviliged can see custom fields.

                             Regards,

                             Duncan.

Duncan Napier
duncan_napier@sfu.ca
http://www.sfu.ca/~dgnapier/
IT & Instrumentation Consultant
Dept of Molecular Biology and Biochemistry
Simon Fraser University

“It takes ten years to become good at being a kid. Then another ten years
to become good at not being a kid” - Larry Wall.

Duncan_Napier1 · June 27, 2013, 1:44pm

Hi,

I want everyone so see custom fields, including Self-Serve
requesters.

I’m running RT 4.0.8 on CentOS 6.2/Apache2.2.24/Postfix-2.2.6. I have
everything set up and have implelented some custom fields through
the Custom Fields menu. Administrators can see custom fields fine.
But unpriviliged users (externally authenticated users in CAS
created at their first login cannot. I have Globalm Everyone and
Unpriviliged General Rights → SeeCustomField , Custom
Fields-Everyone/Unprivileged still no luck.

Strangely enough only one user who used to be
priviliged/administrator but now is unpriviliged can see custom
fields.

–

OK … fixed this one. In or

Problem resolved by setting

Tools->Global->Group Rights ->Add, for Unpriviliged Users, “Rights for Staff” tab check “modify and delete custom field values for objects (ModifyCustomField)”