Rt-mailgate httpd error 400

Hello everyone,
I am new to this forum, first time user.

I am working on upgading our RT installation from 4.4.2 to 5.0.1 ( at new install of 5.0.1 in a different sever ). I installed 5.0.1 fresh, uploaded the database backup from 4.4.2 ( to 5.0.1 ). I can login to the GUI just fine. I can see all the customizations, ticket history , etc. , in the new installation.

When I try to use the mail-gateway , I run into the following problem. I am not sure where this is coming from.

Here is the error message:

procmail: Notified comsat: "fetchmail@:/opt/RT/5.0.1/bin/rt-mailgate --url https://rcicrequest.rcic.uci.edu/rt --no-verify-ssl --queue General --action correspond --debug"
procmail: Executing "/opt/RT/5.0.1/bin/rt-mailgate,--url,https://rcicrequest.rcic.uci.edu/rt,--no-verify-ssl,--queue,General,--action,correspond,--debug"
From fetchmail  Wed Sep 15 10:32:20 2021
 Subject: Test ticket RT5 testing #8
  Folder: /opt/RT/5.0.1/bin/rt-mailgate --url https://rcicrequest.rcic     6998
/opt/RT/5.0.1/bin/rt-mailgate: temp file is '/tmp/GUTZ4OGsaD/ibAt5DnUel'
/opt/RT/5.0.1/bin/rt-mailgate: connecting to https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway
HTTP request failed: 400 400. Your webserver logs may have more information or there may be a network problem.

Here is my ssl.conf:

> DocumentRoot "/opt/RT/5.0.1/share/html"
> <Location /rt>
>    <IfVersion >= 2.4>
>        AuthType shibboleth
>        ShibRequestSetting requireSession 1
>        Require shibboleth
>        ShibUseHeaders On
>        ShibBasicHijack On
>        RequestHeader set X-Remote-User %{REMOTE_USER}s
>    </IfVersion>
>    Options +ExecCGI
>    AddHandler fcgid-script fcgi html
> </Location>
> #--------------------------------#
> <Location /REST/1.0/NoAuth/mail-gateway>
>   Satisfy Any
>   Allow from all
>   AuthType None
>   Require all granted
> </Location>
> #--------------------------------#
> <Directory /opt/RT/5.0.1/share/html>
>    <IfVersion >= 2.4>
>       Satisfy Any  
>       Allow from all  
>       AuthType None  
>       Require all granted
>    </IfVersion>
> </Directory>

I am not sure from where that httpd 400 error is coming from.

Can you please help shed some light into this? I did not have this trouble setting RT 4.4.2 up.

thank you all!

Is there anything in the webserver logs? From the machine running Fetchmail can you connect to the URL that mailgate is attempting to connect to?

This is what I see in the web server log. - - [15/Sep/2021:10:34:06 -0700] "GET /rt/static/css/fonts/inter/Inter-Regular.woff2 HTTP/1.1" 302 800 - - [15/Sep/2021:10:34:06 -0700] "GET /rt/static/css/fonts/inter/Inter-Regular.woff HTTP/1.1" 302 806 - - [15/Sep/2021:11:32:15 -0700] "GET /rt/REST/1.0/NoAuth/mail-gateway HTTP/1.1" 302 804 - - [15/Sep/2021:11:32:28 -0700] "GET /rt/REST/1.0/NoAuth/mail-gateway HTTP/1.1" 302 802

I am not sure what you meant my connecting to the mailgate. I did this:

[root@rcic-rt ~]# curl https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway
<title>302 Found</title>
<p>The document has moved <a href="https://shib.nacs.uci.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJdT4MwFIb%2FCun9KB%2Bbm80gwe3CJdORgV54Y0o5kybQYk%2Fx498LY%2Bq8mXdN%2Bp7n7XnSJfKmblnS2Urt4bUDtM5HUytkx4uIdEYxzVEiU7wBZFawLLnbssD1WGu01ULXxEkQwVip1Uor7BowGZg3KeBhv41IZW2LjFIjpDBjhzuc3U5IF8qOZpUsCl2DrVxETQd%2BQNNdlhNn3Yel4gP6F4R93lVc4A9Bli3tX3OQNZzG91BKA8LSLNsRZ7OOyHPIvWLuTT248sLZgYfTsBSzRejNpwAQlmUfQ%2Bxgo9ByZSMSeIE%2F8a4n%2Fiz3FywMWLB4Ik56WvpGqlKql8uGijGE7DbP08m40iMYPK7TB0i8HDyzY7E5M38Zy791k%2Fhfufgjd0nPusbilt338M061bUUn05S1%2Fp9ZYBbiIhPaDyO%2FP0f8Rc%3D&amp;RelayState=ss%3Amem%3A530275e41434eafe0d09fca57e32ff37782d7c8f3068fb3eb86b4bc9548e0202">here</a>.</p>

Is that what you meant by connecting to the mailgate?

I tried connecting to the URL ( https://rcicrequest.rcic.uci.edu/rt/REST/1.0/NoAuth/mail-gateway ) via a browser. When I do that, it prompts me for authentication.

If you notice in the ssl.conf, I have excluded the mail-gate area for any authentication. But, not sure why it prompts me for authentication.

thanks for your help!

Yeah my thoughts are the Location directives for Apache aren’t doing what we think since it looks like that curl request hit SAML, if I recall they may have been changed in recent versions of Apache. Is this the same machine that RT 4 was on or a new server?

No, servers are physically 2 different VM’s. One running 4.4.2 and the new one running 5.0.1.

Can you think of anything that might allow no shibboleth authentication for the mailgate part?


Do you need a /rt in front of the /REST in the second Location config?

Not sure, I can try that. But with the same config, my 4.4.2 RT server is working OK.

What’s the version of Apache on the 4.4 server vs 5.0 server?

RT5.0.1 server – httpd-2.4.6-93.el7.centos.x86_64

RT4.4.2 server – httpd-2.4.6-67.el7.centos.6.x86_64

I am a little stumped, can you try putting the mailgate location directive before the SAML location directive?

I think I might have tried that before, I will do that again, and let you know.

Yeah, this one is an interesting one for me too.

is there a way to allow mailgate to pull mails from something like, http://localhost:8080/REST/1.0/xyz … type setup?

Since the RT install and database instance are running from the same server, I wish there should have been an option to pull mails through fetchmail without any URL reference( just locally).

I think I was able to resolve it with the following:

<Location ~ "/REST/1.0/NoAuth/(mail-gateway)">
  <IfVersion >= 2.4>
      Satisfy Any
      Allow from all
      AuthType None
      Require all granted

mailgate was getting caught up with SAML redirect prompting for 2FA.

Thank you everyone for your heart warming help and support. Your questions/comments led me to get the bottom of it.

1 Like