Roundcube plugins

UPDATE as of April 21, 2021: the markasjunk's multi_driver, when enabled, seems to prevent the display of the attached images. Why this driver is related to this problem is a mistery. Any comment on this will be welcome.

• Official repository: http://plugins.roundcube.net/

My enabled plugins are (at the moment):

• password, which is already included in the plugins folder
• managesieve, which writes sieve scripts to filter the incoming mails (reject, move to specific folders etc.). Note that in order to use it you must have Dovecot managesieve enabled.
• SpamAssassin-User-Prefs-SQL, which writes the spamassassin user preferences in the DB. The user will be allowed to create a black/white list, to adjust the required_score and so on.
• markasjunk. You can add the sender's email address to the blacklist, or run a command such as sa_learn. Requires sauprefs.
• rcguard. This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high.
• Context Menu. Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.
• autologon. Autologin from external Site e.g. (CMS, Portal ...)
• logout_redirect. Modified version to only redirect to the homepage (depending on the domain part of the default identity)
• newmail_notifier. can notify new mail focusing browser window and changing favicon, playing a sound and  displaying desktop notification (using webkitNotifications feature).
• carddav. CardDav client. You can sync your addressbook against a CardDav server like nextcloud or SoGO.
• enigma adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format

To enable a plugin you have to include it in $config['plugins'] in such a way

$config['plugins'] = array(
        'password',
        'managesieve',
        'sauserprefs',
        'markasjunk',
        'rcguard',
        'contextmenu',
        'newmail_notifier',
        'carddav',
        'enigma'
 );

Managing plugins via composer

Some of the mentioned above plugins are shipped with the Roundcube package, while the others can be easily installed from https://plugins.roundcube.net/ via composer. To learn how to use composer take a look to the home page of this site, where a quick howto is provided.

Installing composer

Install as follow if composer.phar is not already installed

cd /var/www/roundcube
chown -R root:apache .

wget https://getcomposer.org/composer-stable.phar 
mv composer-stable.phar composer.phar 
chown apache:apache composer.phar 
mkdir -p /var/www/.composer 
chown -R apache:apache /var/www/.composer

Since composer has to be runned by apache, it is the case to set up write priviledges in some folder and files that the apache user has to overwrite.

mkdir -p /srv/httpd
chown -R apache:apache /srv/httpd

touch composer.lock
chown apache:apache composer.lock composer.phar

chmod -R g+w plugins vendor composer.lock

Using composer

In a few words, just open your composer.json file and add a line like this for each plugin that is browseable from https://plugins.roundcube.net and you would like to install:

"require" : {
 ...,
 "roundcube/rcsample": ">=0.2.0"
}

This is my composer.json section that is needed to install the plugins described below:

 "require": {
...............
 "mfreiholz/persistent_login": "dev-master",
 "johndoh/contextmenu": ">=3.2",
 "dsoares/rcguard": ">=1.2.1",
 "johndoh/sauserprefs": ">=1.18",
 "roundcube/carddav": ">=3.0.3"
}

Run composer as the apache user to update and install:

cd /var/www/roundcube
sudo -u apache php composer.phar update

Password

This is shipped with Roundcube, so it doesn't need to be installed. You can use either vpopmaild or sql driver (thanks to John D. Trolinger).

This plugin provides some driver to enforce the password strenght and I tryied zxcvbn with no success. Fortunately John D. Trolinger explained in a comment how to patch the plugin to use cracklib as a password strenght library. If you want to use this approach read below.

Choosing the vpopmaild driver

# cd plugins/password
# cp -p config.inc.php.dist config.inc.php
# nano config.inc.php

$config['password_driver'] = 'vpopmaild';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// vpopmaild Driver options
// -----------------------
// The host which changes the password
$config['password_vpopmaild_host'] = '<mail-server-IP>';

// TCP port used for vpopmaild connections
$config['password_vpopmaild_port'] = 89;

Remember to replace <mail-server-IP> with the IP address of your MTA (generally localhost).

Choosing the sql driver

// We have MYSQL for our VPOPMAIL DATABASE so we use the sql driver
$config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
// We have a VPOPMAIL DB  and the database and table name is vpopmail
$config['password_db_dsn'] =
'mysql://vpopmail:YOURPASSWORDGOESHERE@<mysql-IP>/vpopmail';

// The username and domainname are different columns JDT
$config['password_query'] = 'UPDATE vpopmail set
pw_passwd=ENCRYPT(%p,concat("$1$",right(md5(rand()),8 ),"$")),
  pw_clear_passwd=%p where pw_name=%l and pw_domain=%d';

// VPOPMAIL uses salted hash so md5 JDT
$config['password_crypt_hash'] = 'md5';

Here <mysql-IP> is the IP address of your sql server (put localhost if qmail and sql servers share the same IP).

Cracklib patch

You may want to patch the plugin to gain cracklib's security benefits (thanks to Tony Fung for the patch), so that both roundcube and qmailadmin share the same password check system:

cd /var/www/roundcube
wget https://notes.sagredo.eu/files/qmail/patches/roundcube/cracklib-roundcube_pwd_plugin.patch
patch -p1 < cracklib-roundcube_pwd_plugin.patch

Be aware that the cracklib library must be installed as already explained in the qmailadmin's page.

Managesieve

Writes sieve scripts to filter the incoming mails (reject, move to a specific folders etc.). Note that to use this you must have Dovecot managesieve enabled.

• Requires: Dovecot Pigeonhole
• Shipped with Roundcube

cd /var/www/roundcube/plugins
cd managesieve
cp -p config.inc.php.dist config.inc.php

Modify in such a way the config file (remember that the port of the dovecot-managesive service is now 4190 (2000 is obsolete)

$config['managesieve_port'] = 4190;
$config['managesieve_host'] = '<mail-server-IP>';

NB: <mail-server-IP> is the IP address of your mail server (localhost if qmail and sql share the same IP).

And this is what you are going to see in the dovecot log simply setting a redirect filter

Oct 22 00:03:13 lda(test@yourdomain.net): Info: sieve: msgid=<c3445037f979a8cb793df1f858b7a4f9@somedomain.com>: forwarded to <someone@somewhere.net>

Remember that, in order to the sieve rules to take place, you have to setup the .qmail file at least for that user or the entire domain as explained earlier in the sieve note about Dovecot, otherwise the LDA will be vpopmail instead of Dovecot and the sieve rules will be ignored.

quickrules

Adds a button to the message list to allow the quick creation of rules in the SieveRules plugin. Infomration from selected emails is used to prefile the new rule form.

• Version: 2.0
• Requires: sieverules plugin

This package is abandoned and no longer maintained. No replacement package was suggested. I leave this documentation here, to be used with 1.3 and earlier versions of Roundcube.

The plugin version from github doesn't work with 0.9.2. I managed to install the new skin inside the old 0.6 version of the plugin and now it works fine. You can download my modified version from here.

cd /var/www/roundcube/plugins
wget https://notes.sagredo.eu/files/qmail/tar/old-RC-plugins/quickrules.tar.gz
tar xzf quickrules.tar.gz
chown -R root.apache quickrules
chmod -R o-rx quickrules

SpamAssassin-User-Prefs-SQL

Writes the spamassassin user preferences in the DB. The user will be allowed to create a black/white list, to adjust the required_score and so on.

• Installed via composer

Configure the mysql connection:

> cp -p config.inc.php.dist config.inc.php
> nano config.inc.php
$config['sauserprefs_db_dsnw'] = 'mysqli://spamassassin:<PASSWORD>@<mysql-IP>/spamassassin';

NB: <mysql-IP> is the IP address of your mysql server (localhost if the same of qmail).

If 'mysqli' extension is not available in your php, then choose the old 'mysql' in the line above.

Spamassassin userprefs' funcionality has been explained in this page. Now we have to check just the creation/modification of the record inside the userprefs table of the spamassassin DB.

Mark-as-junk

Adds the sender's email address to the blacklist, or run a command such as sa_learn.

• Shipped with Roundcube
• README (detailed drivers howto)

With this nice plugin the end user can add the sender's email address to the blacklist, or run a command such as sa_learn.

Create the config file from the template

cp config.inc.php.dist config.inc.php

sa_blacklist driver

• Requires spamassassin-user-prefs (sauserprefs) plugin and Spamassassin Userprefs

Clicking on the button "Mark as Junk" creates a new "Black_list from" record in the database and moves the message in the Junk folder eventually marking it as read. Clicking on the button "Mark as Ham" creates a record "White_list from" in the database and restores the message in the Inbox.

To use the plugin with the driver sa_blacklist:

$config['markasjunk_learning_driver'] = 'sa_blacklist';

The following cmd_learn driver should not be used anymore, as we already setup a cronjob for training our bayesian filter and reporting our spam (more info here).

cmd_learn driver

• Thanks to Gabriel Torres for the hints concerning this setup

This driver calls an external command to process the message. You can use it to call sa_learn and spamassassin in cascade. Be aware that you have to eventually remove shell_exec from disable_functions in your php.ini so that php can execute shell commands.

Prepare the shell script with the commands to run when clicking on the "Mark as junk" button. Save as /usr/local/bin/teach_spam.sh the following code

cat > /usr/local/bin/teach_spam.sh << __EOF__
#!/bin/bash
/usr/local/bin/sa-learn --spam --username=$1 $2 >> /var/log/spamassassin/sa_learn.log 2>&1​
/usr/local/bin/spamassassin --nocreate-prefs --report < $2 >> /var/log/spamassassin/spamassassin.log 2>&1
__EOF__

The first command feeds the mail to SpamAssassin, allowing it to 'learn' what signs are likely to mean spam. The latter one reports the mail as spam to Razor, Pyzor and Spamcop.

Now prepare the shell script with the commands to run when clicking on the "Mark as ham" button. Save as /usr/local/bin/revoke_spam.sh the following code

cat > /usr/local/bin/revoke_spam.sh << __EOF__
#!/bin/bash
/usr/local/bin/sa-learn --ham --username=$1 $2 >> /var/log/spamassassin/sa_learn.log 2>&1​
/usr/local/bin/spamassassin --nocreate-prefs --revoke < $2 >> /var/log/spamassassin/spamassassin.log 2>&1
__EOF__

Again, the first command feeds the mail to SpamAssassin, allowing it to 'learn' which signs are likely to mean ham. The latter one revoke the report to Razor. Apparently the revocation is not possible with Pyzor and Spamcop (but I didn't look deeply in my log yet).

Provide execute priviledges to the newly created scripts

chmod +x /usr/local/bin/teach_spam.sh /usr/local/bin/revoke_spam.sh

Set these options

$config['markasjunk_learning_driver'] = 'cmd_learn';
$config['markasjunk_spam_cmd'] = '/usr/local/bin/teach_spam.sh  %u %f';
$config['markasjunk_ham_cmd']  = '/usr/local/bin/revoke_spam.sh %u %f';

Setup che logrotate for the above log files:

cat > /etc/logrotate.d/spam_reports << __EOF__
/var/log/spamassassin/spamassassin.log /var/log/spamassassin/sa_learn.log {
su root apache
rotate 5
daily
missingok
notifempty
delaycompress
create 664 root apache 
sharedscripts
}
__EOF__

You have to assign +w priviledges to apache in the log dir and to Razor's identity-* files, as Roundcube is runned by apache:

chgrp apache /var/log/spamassassin
chmod g+w /var/log/spamassassin
chgrp apache /etc/mail/spamassassin/.razor/identity-*
chmod 640 /etc/mail/spamassassin/.razor/identity-*
chmod 644 /etc/mail/spamassassin/.razor/razor-agent.log

multi_driver driver

• Original driver for the ancient markasjunk2 plugin
• multi_driver plugin patched for markasjunk (diff here)

It is possible to run multiple drivers when marking a message as spam/ham. I patched the original version by Philip Weir to work with markasjunk and run sa_blacklist followed by cmd_learn.

Install as follows:

cd /var/www/roundcube/plugins/markasjunk/drivers
wget https://notes.sagredo.eu/files/qmail/patches/roundcube/markasjunk-multi_driver/multi_driver.txt
mv multi_driver.txt multi_driver.php

Set the correct driver in the config file:

$config['markasjunk_learning_driver'] = 'multi_driver';

rcguard

This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high. This provides protection against automated attacks.

• Installed via composer

mv config.inc.php.dist config.inc.php

You have to obtain a key from http://www.google.com/recaptcha. Put the key in your config file:

> nano config.inc.php

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';

Create the mysql table where to store the logs of all failed attempts. IPs are released after a certain amount of time.

> mysql -u root -p
mysql> use roundcube;

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

quit;

That's it. The captha will be active after 5 failures. You can set this number in the config file.

Different themes and translations of recaptcha are available. Simply edit rcguard.js. For documentation, see:  https://developers.google.com/recaptcha

Context Menu

Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.

• Installed via composer

No configuration is needed.

autologon

Performs an auto login from an external page

• Shipped by Roundcube

You have to modify the default Thomas Bruederli's sample plugin like this (eventually change to $_GET):

<?php

/**
 * Sample plugin to try out some hooks.
 * This performs an automatic login if accessed from localhost
 *
 * @license GNU GPLv3+
 * @author Thomas Bruederli
 */
class autologon extends rcube_plugin
{ 
  public $task = 'login';

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_POST['_autologin']) && $this->is_localhost())
      $args['action'] = 'login';

    return $args;
  }

  function authenticate($args)
  {
    if (!empty($_POST['_autologin']) && $this->is_localhost()) {
      $args['user'] = $_POST['_user'];
      $args['pass'] = $_POST['_pass'];
      $args['host'] = '[localhost | mail-server-IP]';
      $args['cookiecheck'] = false;
      $args['valid'] = true;
    }

    return $args;
  }

  function is_localhost()
  {
    return true;
//    return $_SERVER['REMOTE_ADDR'] == '::1' || $_SERVER['REMOTE_ADDR'] == '127.0.0.1';
  }

}

Use a form like this one in your CMS page:

<form name="form" action="http://your.webmail.url/" method="post">
<input type="hidden" name="_action" value="login" />
<input type="hidden" name="_task" value="login" />
<input type="hidden" name="_autologin" value="1" />

<table>
<tr>
    <td>Utente</td>
    <td><input name="_user" id="rcmloginuser" autocomplete="off" value="" type="text" /></td>
</tr>
<tr>
    <td>Password</td>
    <td><input name="_pass" id="rcmloginpwd" autocomplete="off" type="password" /></td>
</tr>
<tr>
    <td colspan="2"><input type="submit" value="Login" /></td>
</tr>
</table>

</form>

logout_redirect

This plugin is not tested against Roundcube 1.4.1

In case you have installed the autologon plugin this one could be useful to redirect users to the home page of your site upon logout.

• Info: http://www.std-soft.com/bfaq/52-cat-webmail/105-logout-redirect-fuer-roundcube.html (german)
• Download local copy

cd /var/www/roundcube/plugins
wget http://notes.sagredo.eu/files/qmail/tar/RC-plugins/logout_redirect_rc0.5_v1.2-MN.tar.gz
tar xzf logout_redirect_rc0.5_v1.2-MN.tar.gz
cd logout_redirect
chown -R root.apache logout_redirect
chmod -R o-rx logout_redirect

The plugin logout_redirect must be the last in the list of plugins in the main.inc.php otherwise the subsequent plugins will no longer run.

Configure like this editing the config.inc.php inside the plugin's config folder:

$ config['logout_redirect_url'] = 'http://www.yoursite.net';

newmail_notifier

Supports three methods of notification:

1. Basic - focus browser window and change favicon
2. Sound - play wav file
3. Desktop - display desktop notification (using webkitNotifications feature, supported by Chrome and Firefox with 'HTML5 Notifications' plugin)

• Shipped by Roundcube

This plugin is included in your Roundcube installation. You can enable it simply renaming the config file...

cd plugins/newmail_notifier
cp config.inc.php.dist config.inc.php

...and choosing the notification method you like:

// Enables basic notification
$config['newmail_notifier_basic'] = true;

// Enables sound notification
$config['newmail_notifier_sound'] = true;

// Enables desktop notification
$config['newmail_notifier_desktop'] = false;

CardDav

This is a plugin to access CardDAV servers like ownCloud or SoGO.

This plugin was not tested against Roundcube 1.4

Setup the database tables using the suitable file saved in the dbmigrations/0000-dbinit/ subfolder.

Then you can configure you addressbook. If you use an ownCloud server, this is how to do it:

If you have an Android phone you may want to take a look to the CardDAV application here.

Troubleshoting

If you get a curl error like this when downloading the dependencies

All settings correct for using Composer

PHP Warning:  failed loading cafile stream: `/etc/ssl/certs/cacert.pem' in - on line 762
PHP Warning:  file_get_contents(): Failed to enable crypto in - on line 762
PHP Warning:  file_get_contents(https://getcomposer.org/versions): failed to open stream: operation failed in - on line 762
PHP Warning:  Invalid argument supplied for foreach() in - on line 508
None of the 0 stable version(s) of Composer matches your PHP version (5.6.21 / ID: 50621)

then you have to install a cert bundle:

cd /etc/ssl/certs
wget --no-check-certificate http://curl.haxx.se/ca/cacert.pem

and tell php where to find it editing your php.ini

openssl.cafile=/etc/ssl/certs/cacert.pem

Enigma

• more info here
• requires: gpg (gnupg and libgpg-error on Slackware systems)
• shipped by Roundcube

Update: the enigma plugin included in 1.3.1 version seems to be not compatible with the old version of Crypt_GPG

This plugin adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format.  The plugin uses gpg binary on the server and stores all keys (including private keys of the users) on the server. Encryption/decryption is done server-side. So, this plugin is for users who trust the server.

Create a config file

cd /var/www/roundcube/plugins/enigma
cp -p config.inc.php.dist config.inc.php

The keys are stored by the server in the enigma/home dir. Let's move that dir to a folder that is not accessible from the web and assign to apache write permissions

mkdir -p /var/www/roundcube-enigma-home
chown -R root:apache /var/www/roundcube-enigma-home
chmod -R g+w /var/www/roundcube-enigma-home

Now modify your apache configuration to grant proper permissions to apache in the newly created dir:

Require all granted

Don't forget to restart your web server, for example:

apachectl restart

Now modify the enigma config file to point to the new home dir:

$config['enigma_pgp_homedir'] = '/var/www/roundcube-enigma-home';

The enigma plugin requires that the Crypt_GPG library is installed exactly in your /var/www/roundcube/plugins/enigma/lib/Crypt_GPG dir. Considering that roundcube resets the default include_path php variable (which is set by php.ini to /path/to/php/lib), if you choose to install it using pear you will get a "Server error". So let's manually download and install the package in the proper folder 

cd /var/www/roundcube/plugins/enigma/lib
wget http://download.pear.php.net/package/Crypt_GPG-1.6.2.tgz
tar xzf Crypt_GPG-1.6.2.tgz
ln -s Crypt_GPG-1.6.2/Crypt
chown -R root:apache Crypt*

The set up of the certificates is easy. Refer to this blog page for more info.

--- vpopmaild.php       2020-06-07 19:11:57.000000000 +0800
+++ vpopmaild.php.new   2020-07-03 10:49:10.916730102 +0800
@@ -33,6 +33,16 @@
         $host      = $rcmail->config->get('password_vpopmaild_host');
         $port      = $rcmail->config->get('password_vpopmaild_port');
+        exec("echo ".$passwd." | /usr/sbin/cracklib-check 2>/dev/null", $output, $return_var);
+
+        if(preg_match("/^.*\: ([^:]+)$/", $output[0], $matches)) {
+            // Check response:
+            if(strtoupper($matches[1])!=="OK") {
+                // Cracklib doesn't like it:
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+        }
+
         $result = $vpopmaild->connect($host, $port, null);
         if (is_a($result, 'PEAR_Error')) {
             return PASSWORD_CONNECT_ERROR;

--- sql.php     2020-06-07 19:11:57.000000000 +0800
+++ sql.php.new 2020-07-03 12:14:18.452237835 +0800
@@ -37,6 +37,16 @@
     {
         $rcmail = rcmail::get_instance();
+        exec("echo ".$passwd." | /usr/sbin/cracklib-check 2>/dev/null", $output, $return_var);
+
+        if(preg_match("/^.*\: ([^:]+)$/", $output[0], $matches)) {
+            // Check response:
+            if(strtoupper($matches[1])!=="OK") {
+                // Cracklib doesn't like it:
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+        }
+
         if (!($sql = $rcmail->config->get('password_query'))) {
             $sql = 'SELECT update_passwd(%c, %u)';
         }

#!/bin/bash
/usr/local/bin/sa-learn --spam -u$1 $2
/usr/local/bin/spamassassin -x -r <$2

$config['markasjunk_learning_driver'] = 'cmd_learn';
$config['markasjunk_spam_cmd'] = '/usr/local/bin/teach_spam.sh %u %f';
$config['markasjunk_ham_cmd'] = '/usr/local/bin/sa-learn --ham --username=%u %f';

chmod 777 /etc/mail/spamassassin/.razor/razor-agent.log
chmod 644 /etc/mail/spamassassin/.razor/identity-

apt-get install pyzor

spamcop_from_address 
spamcop_to_address 
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
pyzor_options --homedir /etc/mail/spamassassin/pyzor
pyzor_timeout 20

mkdir /etc/mail/spamassassin/pyzor
chown spamd:spamd /etc/mail/spamassassin/pyzor