Roundcude locked mail messages

debian 11 + hestia v1.4.17. This is a fresh install of the web server, and I didn’t immediately see if the mail was working to begin with. After a fresh installation, I changed the configurations of nginx and apache2 only by adding security headers, the site itself works fine, but when I enter any mail account, I see that the account is blocked!.. What could it be? I tried to return the headers to their standard position - it didn’t help (

nginx conf

# SSL PCI compliance
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_buffer_size     1400;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling_verify on;
resolver valid=300s ipv6=off;
resolver_timeout    5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Expect-CT "max-age=7776000, enforce";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "upgrade-insecure-requests";

in apache2 add Include conf-enabled/security.conf, in the security config itself:


Requires Apache 2.4.36 & OpenSSL 1.1.1

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1

Older versions

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options: “DENY”
Header always set X-Content-Type-Options: “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header always set Content-Security-Policy “upgrade-insecure-requests”

Requires Apache >= 2.4

SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

Requires Apache >= 2.4.11

SSLSessionTickets Off

curl -I my_domain

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Oct 2021 05:58:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: my_domain
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Expect-CT: max-age=7776000, enforce
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: upgrade-insecure-requests

In general, this problem can generally be caused by a change in the security headers? Thanks in advance for your reply!

Replace it with
X-Frame-Options: SAMEORIGIN


After changing the settings, I checked the work in IE, and made sure that everything works there, then I cleared the cache in the browser I used and everything worked there too, thanks! :sweat_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.