Roundcube plugins

November 5, 2023 by Roberto Puzzanghera 53 comments

My enabled plugins are (at the moment):

  • Password, to change the user's password
  • qmailforward, replaces the managesieve forward in order to handle the qmail forwards via vpopmail/valias
  • ManageSieve, which writes sieve scripts to filter the incoming mails (reject, move to specific folders etc.). Note that in order to use it you must have Dovecot managesieve enabled.
    It contains "Out of office" and "Forwarding".
  • SpamAssassin User Prefs SQL (sauserprefs), which writes the spamassassin user preferences in the DB. The user will be allowed to create a black/white list, to adjust the required_score and so on.
  • MarkAsJunk. You can add the sender's email address to the blacklist, or run a command such as sa_learn. Requires sauprefs.
  • ContextMenu. Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.
  • Newmail notifier. can notify new mail focusing browser window and changing favicon, playing a sound and  displaying desktop notification (using webkitNotifications feature).
  • Persistent login, which provides a "Keep me logged in" aka "Remember Me" functionality for Roundcube.
  • ZipDownload, which adds an option to download all attachments to a message in one zip file, when a message has multiple attachments.
  • enigma adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format
  • swipe, which adds left/right/down swipe actions to entries in the the message list on touch devices (tables/phones).
  • Attachment reminder reminds a user to attach the files

Other plugins that I have used in the past for which the old documentation might not be valid anymore

  • autologon. Autologin from external Site e.g. (CMS, Portal ...)
  • logout redirect. Modified version to only redirect to the homepage (depending on the domain part of the default identity)
  • rcguard. This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high.
  • carddav. CardDav client. You can sync your addressbook against a CardDav server like nextcloud or SoGO.

To enable a plugin you have to include it in $config['plugins'] in such a way

$config['plugins'] = array(
        'password',
        'managesieve',
        'sauserprefs',
        'markasjunk',
        'contextmenu',
        'newmail_notifier',
        'zipdownload',
        'persistent_login',
        'enigma',
        'swipe',
        'attachment_reminder',
        'qmailforward'
 );

Managing plugins via composer

Some of the mentioned above plugins are shipped with the Roundcube package, while the others can be easily installed from https://plugins.roundcube.net/ via composer. To learn how to use composer take a look to the home page of this site, where a quick howto is provided.

Installing composer

Install as follow if composer.phar is not already installed

cd /var/www/roundcube
chown -R root:apache .

wget https://getcomposer.org/composer-stable.phar 
mv composer-stable.phar composer.phar 
chown apache:apache composer.phar 
chmod +x composer.phar
mkdir -p /var/www/.composer 
chown -R apache:apache /var/www/.composer

Since composer has to be runned by apache, it is the case to set up write priviledges in some folder and files that the apache user has to overwrite.

mkdir -p /srv/httpd
chown -R apache:apache /srv/httpd

touch composer.lock
chown apache:apache composer.lock composer.phar

chmod -R g+w plugins vendor composer.lock

Using composer

In a few words, just open your composer.json file and add a line like this for each plugin that is browseable from https://plugins.roundcube.net and you would like to install:

"require" : {
 ...,
 "roundcube/rcsample": ">=0.2.0"
}

This is my composer.json file that is needed to install the plugins described below:

 "require": {
       ............... other stuff
       "sagredo-dev/qmailforward": ">=1.0.2",
       "johndoh/contextmenu": ">=3.3.1", 
       "johndoh/swipe": ">=0.5"
}

Run composer as the apache user to update and install:

cd /var/www/roundcube
sudo -u apache php composer.phar update

qmailforward

This plugin adds the ability for qmail users to edit their forward from within Roundcube with no need to ask their administrators for doing that via qmailadmin. It saves the forward to MySQL database in the vpopmail.valias table. Unlike the managesieve plugin, from which this plugin is inspired but which only apparently behaves in the same way, qmailforward does not use the sieve rules but saves the forwards on the database, also preserving the possibility of saving a record that enables the copy of messages on the mailbox. In this case the execution of your favorite delivery agent is launched, which can also be set from the configuration file.

Using this method instead of sieve rules allows qmail to keep the SPF policies in effect.

Copy from config.inc.dist.php into config.inc.php your modifications to the default config files. You have to enter at least your credentials to the database, which are those contained in ~vpopmail/etc/vpopmail.mysql.

NB: This plugin works only with my vpopmail patch and with vpopmail configured with --enable-defaultdelivery --enable-valias.

Help in the translations is welcome. Grab a file from the localization folder, translate in your language and send it via mail using the contact button above.

Password

  • Plugin name: password

This is shipped with Roundcube, so it doesn't need to be installed. You can use either vpopmaild or sql driver (thanks to John D. Trolinger).

This plugin provides some driver to enforce the password strenght and I tryied zxcvbn with no success. Fortunately Tony Fung explained in a comment how to patch the plugin to use cracklib as a password strenght library. If you want to use this approach read below.

Choosing the vpopmaild driver

# cd plugins/password
# cp -p config.inc.php.dist config.inc.php
# nano config.inc.php

$config['password_driver'] = 'vpopmaild';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// vpopmaild Driver options
// -----------------------
// The host which changes the password
$config['password_vpopmaild_host'] = '<mail-server-IP>';

// TCP port used for vpopmaild connections
$config['password_vpopmaild_port'] = 89;

Remember to replace <mail-server-IP> with the IP address of your MTA (generally localhost).

Choosing the sql driver

// We have MYSQL for our VPOPMAIL DATABASE so we use the sql driver
$config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
// We have a VPOPMAIL DB  and the database and table name is vpopmail
$config['password_db_dsn'] =
'mysql://vpopmail:YOURPASSWORDGOESHERE@<mysql-IP>/vpopmail';

// The username and domainname are different columns JDT
$config['password_query'] = 'UPDATE vpopmail set
pw_passwd=ENCRYPT(%p,concat("$1$",right(md5(rand()),8 ),"$")),
  pw_clear_passwd=%p where pw_name=%l and pw_domain=%d';

// VPOPMAIL uses salted hash so md5 JDT
$config['password_crypt_hash'] = 'md5';

Here <mysql-IP> is the IP address of your sql server (put localhost if qmail and sql servers share the same IP).

Cracklib patch

You may want to patch the plugin to gain cracklib's security benefits (thanks to Tony Fung for the patch), so that both roundcube and qmailadmin share the same password check system:

cd /var/www/roundcube
wget https://notes.sagredo.eu/files/qmail/patches/roundcube/cracklib-roundcube_pwd_plugin.patch
patch -p1 < cracklib-roundcube_pwd_plugin.patch

Be aware that the cracklib library must be installed as already explained in the qmailadmin's page. You also have to remove exec from disable_functions in your php.ini.

Managesieve

Writes sieve scripts to filter the incoming mails (reject, move to a specific folders etc.). Note that to use this you must have Dovecot managesieve enabled.

cd /var/www/roundcube/plugins
cd managesieve
cp -p config.inc.php.dist config.inc.php

Modify in such a way the config file. Remember that the port of the dovecot-managesive service is now 4190 (2000 is obsolete).

$config['managesieve_port'] = 4190;
$config['managesieve_host'] = '<mail-server-IP>';
// Enables separate management interface for vacation responses (out-of-office) 
$config['managesieve_vacation'] = 1; 

NB: <mail-server-IP> is the IP address of your mail server (localhost if qmail and sql share the same IP).

And this is what you are going to see in the dovecot log simply setting a redirect filter

Oct 22 00:03:13 lda(test@yourdomain.net): Info: sieve: msgid=<c3445037f979a8cb793df1f858b7a4f9@somedomain.com>: forwarded to <someone@somewhere.net>

Remember that, in order to the sieve rules to take place, you have to setup the .qmail file at least for that user or the entire domain as explained earlier in the sieve note about Dovecot, otherwise the LDA will be vpopmail instead of Dovecot and the sieve rules will be ignored.

After ages of RoundCube usage I finally became aware ofthe fact that this plugin has separate management interface for vacation responses!

If you are using this plugin to create forwards, have a look to the qmailforward plugin which does the same without breaking the SPF. More info here.

SpamAssassin-User-Prefs-SQL

Writes the spamassassin user preferences in the DB. The user will be allowed to create a block/welcome list, to adjust the required_score and so on.

If you migrated to spamassassin v.4 you have to use the v. 1.20.1 which is not available on composer yet. So you have to download it from github and install by yourself:

cd /var/www/roundcube/plugins
wget https://github.com/johndoh/roundcube-sauserprefs/archive/refs/tags/1.20.1.tar.gz
tar xzf 1.20.1.tar.gz
mv roundcube-sauserprefs-1.20.1/ sauserprefs
cd sauserprefs
mv config.inc.php.dist config.inc.php

Adjust the configuration:

$config['sauserprefs_db_dsnw'] = 'mysqli://spamassassin:<PASSWORD>@<mysql-IP>/spamassassin';
$config['sauserprefs_sav4'] = true;

NB: <mysql-IP> is the IP address of your mysql server (localhost if the same of qmail).

If 'mysqli' extension is not available in your php, then choose the old 'mysql' in the line above.

If you have just upgraded to spamassassin v.4 you'd have to take a look to the following info.

Spamassassin userprefs' funcionality has been explained in this page. Now we have to check just the creation/modification of the record inside the userprefs table of the spamassassin DB.

Mark-as-junk

Adds the sender's email address to the blacklist, or run a command such as sa_learn.

  • Shipped with Roundcube
  • Plugin name: markasjunk
  • README (detailed drivers howto)

With this nice plugin the end user can add the sender's email address to the blacklist, or run a command such as sa_learn.

Create the config file from the template

cp config.inc.php.dist config.inc.php

sa_blacklist driver

  • Requires spamassassin-user-prefs (sauserprefs) plugin and Spamassassin Userprefs

Clicking on the button "Mark as Junk" creates a new "Black_list from" record in the database and moves the message in the Junk folder eventually marking it as read. Clicking on the button "Mark as Ham" creates a record "White_list from" in the database and restores the message in the Inbox.

To use the plugin with the driver sa_blacklist:

$config['markasjunk_learning_driver'] = 'sa_blacklist';

The following cmd_learn driver should not be used anymore, as we already setup a cronjob for training our bayesian filter and reporting our spam (more info here).

cmd_learn driver

This driver calls an external command to process the message. You can use it to call sa_learn and spamassassin in cascade. Be aware that you have to eventually remove shell_exec from disable_functions in your php.ini so that php can execute shell commands.

Prepare the shell script with the commands to run when clicking on the "Mark as junk" button. Save as /usr/local/bin/teach_spam.sh the following code

cat > /usr/local/bin/teach_spam.sh << __EOF__
#!/bin/bash
/usr/local/bin/sa-learn --spam --username=$1 $2 >> /var/log/spamassassin/sa_learn.log 2>&1​
/usr/local/bin/spamassassin --nocreate-prefs --report < $2 >> /var/log/spamassassin/spamassassin.log 2>&1
__EOF__

The first command feeds the mail to SpamAssassin, allowing it to 'learn' what signs are likely to mean spam. The latter one reports the mail as spam to Razor, Pyzor and Spamcop.

Now prepare the shell script with the commands to run when clicking on the "Mark as ham" button. Save as /usr/local/bin/revoke_spam.sh the following code

cat > /usr/local/bin/revoke_spam.sh << __EOF__
#!/bin/bash
/usr/local/bin/sa-learn --ham --username=$1 $2 >> /var/log/spamassassin/sa_learn.log 2>&1​
/usr/local/bin/spamassassin --nocreate-prefs --revoke < $2 >> /var/log/spamassassin/spamassassin.log 2>&1
__EOF__

Again, the first command feeds the mail to SpamAssassin, allowing it to 'learn' which signs are likely to mean ham. The latter one revoke the report to Razor. Apparently the revocation is not possible with Pyzor and Spamcop (but I didn't look deeply in my log yet).

Provide execute priviledges to the newly created scripts

chmod +x /usr/local/bin/teach_spam.sh /usr/local/bin/revoke_spam.sh

Set these options

$config['markasjunk_learning_driver'] = 'cmd_learn';
$config['markasjunk_spam_cmd'] = '/usr/local/bin/teach_spam.sh  %u %f';
$config['markasjunk_ham_cmd']  = '/usr/local/bin/revoke_spam.sh %u %f';

Setup che logrotate for the above log files:

cat > /etc/logrotate.d/spam_reports << __EOF__
/var/log/spamassassin/spamassassin.log /var/log/spamassassin/sa_learn.log {
su root apache
rotate 5
daily
missingok
notifempty
delaycompress
create 664 root apache 
sharedscripts
}
__EOF__

You have to assign +w priviledges to apache in the log dir and to Razor's identity-* files, as Roundcube is runned by apache:

chgrp apache /var/log/spamassassin
chmod g+w /var/log/spamassassin
chgrp apache /etc/mail/spamassassin/.razor/identity-*
chmod 640 /etc/mail/spamassassin/.razor/identity-*
chmod 644 /etc/mail/spamassassin/.razor/razor-agent.log

multi_driver driver

It is possible to run multiple drivers when marking a message as spam/ham. I patched the original version by Philip Weir to work with markasjunk and run sa_blacklist followed by cmd_learn.

Install as follows:

cd /var/www/roundcube/plugins/markasjunk/drivers
wget https://notes.sagredo.eu/files/qmail/patches/roundcube/markasjunk-multi_driver/multi_driver.txt
mv multi_driver.txt multi_driver.php

Set the correct driver in the config file:

$config['markasjunk_learning_driver'] = 'multi_driver';

Be aware that the markasjunk's multi_driver driver, when enabled, seems to prevent the display of the attached images. Why this driver is related to this problem is a mistery. Any comment on this will be welcome.

Context Menu

Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.

No configuration is needed.

swipe

This plugin adds left/right/down swipe actions to entries in the the message list on touch devices (tables/phones).

Unfortunately this plugins does not have a config file of its own, so we have to add the configuration to the main RC config file. 

This is how I configured it for myself. Look at the README file to find the list of all actions available.

$config['swipe_actions'] = [ 
 'messagelist' => [ 
   'left'  => 'delete', 
   'right' => 'reply-all', 
   'down'  => 'checkmail' 
 ], 
 'contactlist' => [ 
   'left'  => 'compose', 
   'right' => 'compose', 
   'down'  => 'vcard_attachments' 
 ] 
];

New mail notifier

Supports three methods of notification:

  1. Basic - focus browser window and change favicon
  2. Sound - play wav file
  3. Desktop - display desktop notification (using webkitNotifications feature, supported by Chrome and Firefox with 'HTML5 Notifications' plugin)
  • Shipped by Roundcube
  • Plugin name: newmail_notifier

You can enable it simply renaming the config file...

cd plugins/newmail_notifier
cp config.inc.php.dist config.inc.php

...and choosing the notification method you like:

// Enables basic notification
$config['newmail_notifier_basic'] = true;

// Enables sound notification
$config['newmail_notifier_sound'] = true;

// Enables desktop notification
$config['newmail_notifier_desktop'] = false;

Persistent login

This nice plugin provides a "Keep me logged in" aka "Remember Me" functionality for Roundcube.

Unfortunately this is not available via composer. A fork of this on composer actually exists, but it's not updated and it's not working fine here. So let's install it manually

wget -O persistent_login-5.3.0.tar.gz https://github.com/mfreiholz/persistent_login/archive/refs/tags/version-5.3.0.tar.gz
tar xzf persistent_login-5.3.0.tar.gz
mv persistent_login-version-5.3.0 persistent_login
chown -R apache:apache persistent_login

The plugin works better for me with the sql driver, as the cookie driver sometimes disconnects me. So let's enable the sql driver in the config file:

cd persistent_login
mv config.inc.php.dist config.inc.php

Now turn on tokens here in your config file

$config['ifpl_use_auth_tokens'] = true;

I also renamed the php $rcmail_config variable to $config everywhere, because $rcmail_config is now obsolete in RoundCube.

Finally, if this is a fresh installation of this plugin, we have to create the MySQL table into the roundcube database. The sql code can be found in the sql/mysql.sql file:

USE roundcube;

CREATE TABLE IF NOT EXISTS `auth_tokens` (
`token` varchar(128) NOT NULL,
`expires` datetime NOT NULL,
`user_id` int(10) UNSIGNED NOT NULL,
`user_name` varchar(128) NOT NULL,
`user_pass` varchar(128) NOT NULL,
`host` varchar(255) NOT NULL,
PRIMARY KEY (`token`),
KEY `user_id_fk_auth_tokens` (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

ALTER TABLE `auth_tokens`
ADD CONSTRAINT `auth_tokens_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`) ON DELETE CASCADE;

Zip download

  • Shipped by RoundCube
  • Plugin name: zipdownload

Adds an option to download all attachments to a message in one zip file, when a message has multiple attachments. Also allows the download of a selection  of messages in one zip file. Supports mbox and maildir format.

Rename the template of config file and adjust the few options as you like. I left the default options intact.

mv config.inc.php.dist config.inc.php

Enigma

  • More info here
  • Requires: gpg (gnupg and libgpg-error on Slackware systems)
  • Shipped by Roundcube
  • Plugin name: enigma

Update: the enigma plugin included in 1.3.1 version seems to be not compatible with the old version of Crypt_GPG

This plugin adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format.  The plugin uses gpg binary on the server and stores all keys (including private keys of the users) on the server. Encryption/decryption is done server-side. So, this plugin is for users who trust the server.

Create a config file

cd /var/www/roundcube/plugins/enigma
cp -p config.inc.php.dist config.inc.php

The keys are stored by the server in the enigma/home dir. Let's move that dir to a folder that is not accessible from the web and assign to apache write permissions

mkdir -p /var/www/roundcube-enigma-home
chown -R root:apache /var/www/roundcube-enigma-home
chmod -R g+w /var/www/roundcube-enigma-home

Now modify your apache configuration to grant proper permissions to apache in the newly created dir:

Require all granted

Don't forget to restart your web server, for example:

apachectl restart

Now modify the enigma config file to point to the new home dir:

$config['enigma_pgp_homedir'] = '/var/www/roundcube-enigma-home';

The enigma plugin requires that the Crypt_GPG library is installed exactly in your /var/www/roundcube/plugins/enigma/lib/Crypt_GPG dir. Considering that roundcube resets the default include_path php variable (which is set by php.ini to /path/to/php/lib), if you choose to install it using pear you will get a "Server error". So let's manually download and install the package in the proper folder 

cd /var/www/roundcube/plugins/enigma/lib
wget http://download.pear.php.net/package/Crypt_GPG-1.6.2.tgz
tar xzf Crypt_GPG-1.6.2.tgz
ln -s Crypt_GPG-1.6.2/Crypt
chown -R root:apache Crypt*

The set up of the certificates is easy. Refer to this blog page for more info.

Attachment reminder

  • Shipped by Roundcube
  • Plugin name: attachment_reminder

A nice plugin that reminds a user to attach the files. You have to enable it via Settings->Composing messages.

Other plugins

I leave here the documentation for plugins that I've used in the past or that are no longer valid for the current version of Roundcube, in case they can still be useful for someone or for myself in the future.

rcguard

This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high. This provides protection against automated attacks.

mv config.inc.php.dist config.inc.php

You have to obtain a key from http://www.google.com/recaptcha. Put the key in your config file:

> nano config.inc.php

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';

Create the mysql table where to store the logs of all failed attempts. IPs are released after a certain amount of time.

> mysql -u root -p
mysql> use roundcube;

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

quit;

That's it. The captha will be active after 5 failures. You can set this number in the config file.

Different themes and translations of recaptcha are available. Simply edit rcguard.js. For documentation, see:  https://developers.google.com/recaptcha

autologon

Performs an auto login from an external page

  • Shipped by Roundcube
  • Plugin name: autologon

You have to modify the default Thomas Bruederli's sample plugin like this (eventually change to $_GET):

<?php

/**
 * Sample plugin to try out some hooks.
 * This performs an automatic login if accessed from localhost
 *
 * @license GNU GPLv3+
 * @author Thomas Bruederli
 */
class autologon extends rcube_plugin
{ 
  public $task = 'login';

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_POST['_autologin']) && $this->is_localhost())
      $args['action'] = 'login';

    return $args;
  }

  function authenticate($args)
  {
    if (!empty($_POST['_autologin']) && $this->is_localhost()) {
      $args['user'] = $_POST['_user'];
      $args['pass'] = $_POST['_pass'];
      $args['host'] = '[localhost | mail-server-IP]';
      $args['cookiecheck'] = false;
      $args['valid'] = true;
    }

    return $args;
  }

  function is_localhost()
  {
    return true;
//    return $_SERVER['REMOTE_ADDR'] == '::1' || $_SERVER['REMOTE_ADDR'] == '127.0.0.1';
  }

}

 

Use a form like this one in your CMS page:

<form name="form" action="http://your.webmail.url/" method="post">
<input type="hidden" name="_action" value="login" />
<input type="hidden" name="_task" value="login" />
<input type="hidden" name="_autologin" value="1" />

<table>
<tr>
    <td>Utente</td>
    <td><input name="_user" id="rcmloginuser" autocomplete="off" value="" type="text" /></td>
</tr>
<tr>
    <td>Password</td>
    <td><input name="_pass" id="rcmloginpwd" autocomplete="off" type="password" /></td>
</tr>
<tr>
    <td colspan="2"><input type="submit" value="Login" /></td>
</tr>
</table>

</form>

Logout redirect

This plugin is not tested against Roundcube 1.4.1

In case you have installed the autologon plugin this one could be useful to redirect users to the home page of your site upon logout.

cd /var/www/roundcube/plugins
wget http://notes.sagredo.eu/files/qmail/tar/RC-plugins/logout_redirect_rc0.5_v1.2-MN.tar.gz
tar xzf logout_redirect_rc0.5_v1.2-MN.tar.gz
cd logout_redirect
chown -R root.apache logout_redirect
chmod -R o-rx logout_redirect

The plugin logout_redirect must be the last in the list of plugins in the main.inc.php otherwise the subsequent plugins will no longer run.

Configure like this editing the config.inc.php inside the plugin's config folder:

$ config['logout_redirect_url'] = 'http://www.yoursite.net';

CardDav

This is a plugin to access CardDAV servers like ownCloud or SoGO.

This plugin was not tested against Roundcube 1.4

Setup the database tables using the suitable file saved in the dbmigrations/0000-dbinit/ subfolder.

Then you can configure you addressbook. If you use an ownCloud server, this is how to do it:

If you have an Android phone you may want to take a look to the CardDAV application here.

Troubleshoting

If you get a curl error like this when downloading the dependencies

All settings correct for using Composer

PHP Warning:  failed loading cafile stream: `/etc/ssl/certs/cacert.pem' in - on line 762
PHP Warning:  file_get_contents(): Failed to enable crypto in - on line 762
PHP Warning:  file_get_contents(https://getcomposer.org/versions): failed to open stream: operation failed in - on line 762
PHP Warning:  Invalid argument supplied for foreach() in - on line 508
None of the 0 stable version(s) of Composer matches your PHP version (5.6.21 / ID: 50621)

then you have to install a cert bundle:

cd /etc/ssl/certs
wget --no-check-certificate http://curl.haxx.se/ca/cacert.pem

and tell php where to find it editing your php.ini

openssl.cafile=/etc/ssl/certs/cacert.pem

Comments

roundcube - sieve

sieve - vacationn - iv made it to login default or tls ... but still anyway it sends somehow the vacation autorespond WITHOUT to be DKIM signed !

any ideas ?

Reply |

roundcube - sieve

iv made it to login default or tls .

I can't get what you mean here

Is DKIM working on ordinary outgoing email? Which port are you using? Post the dkim config on that port

Reply |

roundcube - sieve

roundcube config - port 587 host localhost - regular got signed

managesieve - port 587, host localhost - got NOT signed 

Reply |

roundcube - sieve

Can you post your DKIM configuration and the dot-qmail of user and domain?

Reply |

roundcube - sieve

The difference:

normal send:

by simscan 1.4.0 ppid: 6458, pid: 6459, t: 0.1536s scanners: attach: 1.4.0 clamav: 0.103.0/m:62/d:27211
v=1; a=rsa-sha1; c=relaxed/relaxed; d=factor-r.net; s=default; x=1710766315; h=MIME-Version:Date: From:To:Subject:User-Agent:Message-ID:Content-Type: Content-Transfer-Encoding; bh=zhyQoHIR/V9AlqSiL4FIQ8iciJE=; b=Jr sxUJRpXqMCdLYJq3/tA4R0lYNT4CUr5bvWlmenMYPc1n4sHAVtIaFc3NqMhG+sEk I6PioiavupphFZurb6Ai92uiJMOSrTFylw+7YQQqw+iR87Izn7KGXhGQD6uWLGlN cvxrMvMcYMWUnwbxk0x4Psn0y4Fchnm3ycsJU8HPU=
from unknown (HELO webmail.factor-r.net) (ivo@factor-r.net) by masterx.helixpress.com with ESMTPA; 11 Mar 2024 14:51:55 +0200

vacation autoreply:

by simscan 1.4.0 ppid: 6784, pid: 6802, t: 0.0907s scanners: attach: 1.4.0 clamav: 0.103.0/m:62/d:27211
from unknown (HELO masterx.helixpress.com) () by 0 with SMTP; 11 Mar 2024 14:52:52 +0200
1.0
text/plain; charset=utf-8
8bit
Pigeonhole Sieve 0.5.0.1 (d33dca20)
auto-replied (vacation)
bulk
All

It replays with defaultdomain ...

Reply |

roundcube - sieve

it is an older install - so there is no .qmal for users

it has .qmail-default for domain: |/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER -e | /home/vpopmail/bin/vdelivermail '' delete

rc:

#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

DKIMDOMAIN=`cat /var/qmail/control/dkimdomain`
# DKIM signign at qmail-remote level
exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
DKIMSIGNOPTIONS="-z 2" \
DKIMDOMAIN="$DKIMDOMAIN" \
NODK=1 \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

smtpd - run:

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=0
export GREETDELAY=1
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=DOMAIN

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
#export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfilter
export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim
# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWjp"
# This is to avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

# This turns off TLS on port 25
export DISABLETLS="1"

# Requires that authenticated user and 'mail from' are identical
#export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"

# This enables simscan debug
#export SIMSCAN_DEBUG=4

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
/var/qmail/bin/qmail-smtpd 2>&1

submission run:

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
LOCAL=`head -1 /var/qmail/control/me`

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMQUEUE=/var/qmail/bin/simscan

# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export SMTPAUTH="!"

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=1
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This makes qmail to allow connections without TLS (default 1)
#export FORCETLS=0

# This turns off TLS on port 587 (default 0)
#export DISABLETLS=1

# Requires that authenticated user and 'mail from' are identical (default 0)
export FORCEAUTHMAILFROM=1

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT=1

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l "$LOCAL" \
-x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1

Reply |

roundcube - sieve

it has .qmail-default for domain: |/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER -e | /home/vpopmail/bin/vdelivermail '' delete

Which is the reason why you have both dovecot and vpopmail handling the delivery? I think that in this way you'll have every messages saved twice in the mailbox

Reply |

roundcube - sieve

First - the .qmail-deafult comes from your website in the year of install creation 

Also : The last parameter in the .qmail-default file tells vdelivermail what to do with non-matching emails. -

in the case it deletes them - so its right - im not gettin mails twice

I'm not investigated which part of scripts in fact signs the e-mails 

but all mails get signed - except sieve ones - i think it uses port 25 directly - others are instructed to use 587

Reply |

roundcube - sieve

I'm not investigated which part of scripts in fact signs the e-mails

but all mails get signed - except sieve ones - i think it uses port 25 directly - others are instructed to use 587

considering your posted configuration files, you are signing at qmail-remote level, so you have to look at the RC file. When signing at qmail-remote level you run the script spawn-filter by means of the variable QMAILREMOTE in your RC file. spawn-filter is run before the message is queued

exec env - PATH="/var/qmail/bin:$PATH" \ 
QMAILREMOTE=/var/qmail/bin/spawn-filter \ 
qmail-start "`cat /var/qmail/control/defaultdelivery`" 

spawn-filter uses the file control/filterargs (or the variable FILTERARGS) to decide which program to run. Here is an example of control/filterargs

*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

so qmail-dkim is the program which finally inserts the signature in the message's header

As you can see from my qmail changelog the logic of the DKIM program has been recently changed and it solves the sieve/vacation signature issue. So you have to update your qmail. Be aware that dk-filter and DKIMDOMAIN NODK and other variables have been dropped.

If you are signing with an old version of my qmail, the sieve/vacation DKIM signature won't work.

I've never tested such things with the dovecot proxy in the middle, so if you don't have particular reasons to use the dovecot submission service I suggest to disable it, at least during the initial DKIM tests

Reply |

roundcube - sieve

Which qmail version do you have? In the latest version the dkim setup has been modified and your config should be updated accordingly.

Secondly, you are trying to sign twice, 1 in RC at qmail-remote level, 2 in qmail-smtpd.

But you have roundcube configured to send from port 587, so you are signing only at qmail-remote level here

Reply |

roundcube - sieve

Secondly, you are trying to sign twice, 1 in RC at qmail-remote level, 2 in qmail-smtpd.

sorry forget about that. It's not correct as it serves for the verification

Reply |

roundcube - sieve - dovecot sieve

if user has .sieve filter with mail redirection (uses submission_host) now dovecot submission_host is in 15-lda.conf - localhost:25 - but cant see auth settings ... when i change it to localhost:587 - it complains for auth ...

Reply |

roundcube - sieve

So now iv got the logic - its ok from my side - i sign on 587 but dovecot sieve autoresponds on port 25 

- can not see any way to configure it to use 587 -  any other ideas ?

Reply |

roundcube - sieve

No, considering your config files you are not signing at smtpd level. You are signing at qmail-remote level. Let me explain it in reply to your other post

Reply |

qmailforward

plugin qmailforward asks for php 8.0=> why???!!! :(

this new version of qmail install is all agains keep it simple and stable policy of slackware ... 

Reply |

qmailforward

plugin qmailforward asks for php 8.0=> why???!!! :(

because 8.0 and 8.2 are the php version I tested. If you tested it against php-7.4 I can lower the minimum version required.

this new version of qmail install is all agains keep it simple and stable policy of slackware ... 

what do you mean?

Reply |

corrections

cd /var/www/roundcube/htdocs/plugins <-- must be: cd /var/www/roundcube/plugins
wget https://github.com/johndoh/roundcube-sauserprefs/archive/refs/tags/1.20.1.tar.gz
tar xzf 1.20.1.tar.gz
mv roundcube-sauserprefs-1.20.1/ sauserprefs
cd sauserprefs <-- add this mv config.inc.php.dist config.inc.php

Reply |

corrections

Thank you. Corrected

Reply |

Managesieve - vacations , something is missing !

Hi

I configured managesive on RC for vacations only
Dovecot, pingehole, managesieve, all is working
I configured the vacations form the webmail, the files are created, but  the autoreply don't work

I read more and I found that the .qmail file must exit with the next text :

|/var/qmail/bin/preline -f /usr/local/libexec/dovecot/deliver -d $EXT@$USER

So, I created and everyting star working

The questions is .... why the .qmail file is not created / modified for the managesieve plugin ? or is there other way to make the vacation works without the .qmail file ?

Txs
Pablo Murillo

Reply |

Managesieve - vacations , something is missing !

Hi Pablo,

are you creating the vacation message with the managesieve "out of office" RC plugin? Then dovecot has nothing to do with .qmail files. You have to look for a sieve rule into the ~mailbox/.sieve folder.

If you want to handle the vacation message with dot-qmail files you have to use qmailadmin and not the RC "out of office" plugin

PS if you are using the sieve rule to generate the vacation message, I suggest to update you qmail patch because DKIM has improvements in making DKIM/DMARC valid in such cases, especially with google

Reply |

Managesieve - vacations , something is missing !

Hi Roberto

Yes, I'm  using managesieve "out of office" RC plugin
The plugin create the folder .sieve and all the files, but when the email arrives to the mailbox nothing happens if the .qmail file not exists
The email is managed with qmail, and qmail, only look for .qmail files
If I don't have a .qmail file, the sieve scritp never is proceced
May be I'm doing something wrong or forget to do something ?

Reply |

Managesieve - vacations , something is missing !

what do you have in ~vpopmail/domain/yourdomain/.qmail-default?

PS and what do you have in ~vpopmail/domain/yourdomain/user/.qmail? do you have sql valiases for that mailbox?

Reply |

Managesieve - vacations , something is missing !

Let me put few things about how sieve and dot-qmail files are related

To have sieve active, you have to enable the dovecot-lda in your dot-qmail (domain/.qmail-default or mailbox/.qmail) in this way

|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

More info here https://notes.sagredo.eu/en/qmail-notes-185/sieve-interpreter-dovecot-managesieve-31.html#lda

You can do the same in an sql valias.

If dovecot-lda is not enabled in your dot-qmail file, then sieve won't work and vpopmail has the responsibility for the delivery. But in that case you can call qmail autoresponder in your dot-qmail (qmailadmin panel).

Reply |

Managesieve - vacations , something is missing !

Yes, we wrote at the same time

So, I'm right,  :D sieve don't work if I don't have a .qmail file in user folder with the line to invoke deliver (deliver -> dovecot-lda), I will have to modify the managesieve plugin to write that file too !
I'm testing what happens if I add a line in valias
Anyway, I will need to modify the php script from managesieve because, don't work as is :D

Reply |

Managesieve - vacations , something is missing !

Hi

I have vpopmail with
--enable-mysql-limits
--enable-valias
--disable-many-domains

.qmail-default  = normally, only the "catch all" or the reject unknow user

| /usr/local/vpopmail/bin/vdelivermail '' postmaster @ DOMAIN

in user folders, normally, there is not .qmail file

Reply |

Managesieve - vacations , something is missing !

so, as explained in my previous post (we were writing at the same time), you have to enable dovecot-lda in user's valias record

if you configured vpopmail with --enable-defaultdelivery this is done by vpopmail for you when you create the users

Reply |

Two pointers to be able to make Cracklib patch to work

Two small adjustments I had to do in order to make the Cracklib patch to work:

1. In the patch, the path to cracklib-check is /usr/sbin/cracklib-check, however here in my server I was installed under /usr/local/sbin/cracklib-check

2. Remove exec from disable_functions in php.ini

Cheers.

Reply |

Two pointers to be able to make Cracklib patch to work

I improved the patch so that the program will find the correct path for cracklib-check. I also added an advice to remove exec from disable_functions

Reply |

QuickRules

Hi Mr Roberto,

the weblink to download quickrules is broken, is it no more support for this plugins?

thank you

Reply |

QuickRules

No, you can see that I wrote the same above

Reply |

password plugin patch for cracklib

Hi Roberto,

I created a patch for password plugin to check password with cracklib. So that both roundcube and qmailadmin have same password check ability.

The patch for vpopmaild in use at password_driver:

--- vpopmaild.php       2020-06-07 19:11:57.000000000 +0800
+++ vpopmaild.php.new   2020-07-03 10:49:10.916730102 +0800
@@ -33,6 +33,16 @@
         $host      = $rcmail->config->get('password_vpopmaild_host');
         $port      = $rcmail->config->get('password_vpopmaild_port');
+        exec("echo ".$passwd." | /usr/sbin/cracklib-check 2>/dev/null", $output, $return_var);
+
+        if(preg_match("/^.*\: ([^:]+)$/", $output[0], $matches)) {
+            // Check response:
+            if(strtoupper($matches[1])!=="OK") {
+                // Cracklib doesn't like it:
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+        }
+
         $result = $vpopmaild->connect($host, $port, null);
         if (is_a($result, 'PEAR_Error')) {
             return PASSWORD_CONNECT_ERROR;

The patch for sql in use at password_driver:

--- sql.php     2020-06-07 19:11:57.000000000 +0800
+++ sql.php.new 2020-07-03 12:14:18.452237835 +0800
@@ -37,6 +37,16 @@
     {
         $rcmail = rcmail::get_instance();
+        exec("echo ".$passwd." | /usr/sbin/cracklib-check 2>/dev/null", $output, $return_var);
+
+        if(preg_match("/^.*\: ([^:]+)$/", $output[0], $matches)) {
+            // Check response:
+            if(strtoupper($matches[1])!=="OK") {
+                // Cracklib doesn't like it:
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+        }
+
         if (!($sql = $rcmail->config->get('password_query'))) {
             $sql = 'SELECT update_passwd(%c, %u)';
         }

Hence, thanks for your hard works to modify qmailadmin. Its much better than original.

Reply |

password plugin patch for cracklib

cracklib is not working with the latest 1.4.7 version. I'm reversing the patch for the time being. I'll try to do a fix asap

Reply |

password plugin patch for cracklib

Hi Roberto,

I just installed Roundcube 1.4.7 and verified that the cracklib and the patch still can work well.  Be aware the patch require "exec" is allowed in php that could not list in "disable_functions" in "php.ini".

Reply |

password plugin patch for cracklib

I applied the patch and updated the guide. Thanks again

Reply |

Markasjunk plugin

Hi all,

I spent a few hours to make markasjunk to work with all learning and reporting options we had setup with SpamAssassin, so here are few pointers.

1. You will need to remove shell_exec from disable_functions in php.ini

2. If you want to run two drivers (e.g. blacklist + sa-learn), you should create a new driver script based on the one linked below, adjusting it for your needs: https://gist.github.com/JohnDoh/8173505

3. In our case, we wanted to run two commands, not only sa-learn, but also spamassassin -r, which automatically reports spam to SpamCop, Pyzor, and Razor. Therefore, we created a small script:

#!/bin/bash
/usr/local/bin/sa-learn --spam -u$1 $2
/usr/local/bin/spamassassin -x -r <$2

Save it as /usr/local/bin/teach_spam.sh, and chmod 755 /usr/local/bin/teach_spam.sh

In /plugins/markasjunk/config.inc.php, adjust:

$config['markasjunk_learning_driver'] = 'cmd_learn';
$config['markasjunk_spam_cmd'] = '/usr/local/bin/teach_spam.sh %u %f';
$config['markasjunk_ham_cmd'] = '/usr/local/bin/sa-learn --ham --username=%u %f';

Now, you must make sure you have Razor correctly configured in your system. Follow the instructions presented in:

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/RazorSiteWide

Here, as pointed out at the end of the guide, we didn't need to bother with adding a new group, but make sure to adjust permissions or Razor reporting will fail with: razor2 report failed: No such file or directory Razor2 reporting requires authentication at

chmod 777 /etc/mail/spamassassin/.razor/razor-agent.log
chmod 644 /etc/mail/spamassassin/.razor/identity-

This last line was what took me hours to discover why I was getting the error I listed above. is the username you have to create with the razor-admin during the steps listed in the link above.

As for SpamCop, you must create an account there and get your custom reporting email address: https://www.spamcop.net/

As for Pyzor, Roberto didn't add it in his guide, and I highly recommend it. With Debian, all I needed to do was:

apt-get install pyzor

Make sure you have enabled SpamCop, Pyzor, and Razor in your /etc/mail/spamassassin/local.cf file:

spamcop_from_address 
spamcop_to_address
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
pyzor_options --homedir /etc/mail/spamassassin/pyzor
pyzor_timeout 20

Don't forget to create the pyzor directory:

mkdir /etc/mail/spamassassin/pyzor
chown spamd:spamd /etc/mail/spamassassin/pyzor

Cheers.

Reply |

Markasjunk plugin

I slightly modified the multi_driver plugin ro run both cmd_learn and sa_blacklist. It's working fine here... have a look (diff here)

Reply |

Markasjunk plugin

I've just added Razor2, Pyzor, Spamcop to spamassassin's configuration and cmd_learn driver info to markasjunk plugin.

Thanks Gabriel for this great contribution

Reply |

Markasjunk plugin

Great, thank you! I'll check it out

Reply |

Small improvement on the guide regarding IP addresses

Hi Roberto,

Following the recommendation I did in the other page, I think you should remember people to edit these:

your-IP
[mysql-IP]
mail-server-IP

People can simply copy and paste and forget to change it. Also, see how each time you use a different convention, you should use the same convention such as localhost or <IP ADDRESS>.

Cheers

Reply |

Small improvement on the guide regarding IP addresses

Thanks for the advice, I'll do it. Concerning convention, as you know, these three are not the same IP, as the mysql-IP is the IP of the database server to be distinguished from the IP of the mail server (mail-server-IP)

PS: sorry if I leave indications to replace the correct IP instead of putting localhost. Infact, in the general case, it can be difficult for people like me having the services installed in different virtual machines to remember which IP should replace localhost among the following

- the firewall 

- the mail server

- the sql server

- the apache server hosting RoundCube, which calls spamassassin with a mysql account different from the one that is used by spamd

Reply |

Thanks for the config help with sauserprefs

Thanks for posting your config notes here. This was the only page I could find where the initial SQL to set up sauserprefs was posted. The author's Git repo and plugin documentation says nothing about the subject, and the plugin doesn't work until it's properly set up. Please do keep your notes online. :-)

Reply |

Thanks for the config help with sauserprefs

Hi Dave, have a look here https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UsingSQL

This page concerns the Roundcube's plugin which connects to the sauserprefs spamassassin's program. So the SQL stuff is up to spamassassin not RC

Reply |

Thanks for the config help with sauserprefs

I had a look at that page, but there was no explicit reference to RC's sauserprefs module, so I would not have easily found the setup query. Still your notes were the only savior for a newbie to the plugin. The plugin's documentation needs updating, I'm going to volunteer to do that. Thanks again, man! ;-)

Reply |

Thanks for the config help with sauserprefs

Thank you, of course every contribution from you would be welcome, as most of the improvements to this guide in latest years come from its visitors

Reply |

markasjunk skin not working

Hi all,

Plugin markasjunk is lacking of elastic skin. If i change to larry skin, it works. Hoping someone can help to fix this.

Many thanks
nic

Reply |

markasjunk skin not working

It works here. 

Sure that you're not still using the old markasjunk2 plugin?

Reply |

markasjunk skin not working

Sorry. Found out that it was a very old version of sauserprefs

Reply |

roundcube plugin for change password and set vacation message in qmailadmin cgi-module

roundcube plugin for change password and set vacation message in qmailadmin cgi-module

https://github.com/internero/roundcube-qmailadmin

Reply |

rcguard

i installed rcguard and tested it.

it woks but i see a recaptcha wher i have to fill with text how can i change that to the same recaptcha u use with i'm not a robot

thanks

Reply |

rcguard

Unfortunately this plugin is recaptcha-1.1 based (or 1.0?), while the one that you can see below the comment form is v. 2.0. Take a look to this one https://github.com/dsoares/rcguard which should be a fork of the previous one and it's based on recaptcha v. 2.0. Please let me know if it works fine

Reply |

rcguard

changed to the new version and it works fine after giving the right password and clicking the recaptcha it logs me in

if i click on the recaptcha i get a challenge could this be changed in the preferences of the google recapthcha security settings.

i mean the difficulty off the challange or no challange at all like here with your recaptcha.

thanks very much for the info

Reply |

rcguard

thank you. I've just checked myself and updated this page

Reply |