Roundcube webmail

February 14, 2024 by Roberto Puzzanghera 12 comments

Feb 12, 2024: Roundcube webmail bug now exploited in attacks. It is sufficient to update Roundcube to the latest version.


Roundcube is a full featured webmail with a nice interface.

Changelog

  • Gen 21, 2024
    RC upgraded to v. 1.6.6
    -new $config['imap_host'] variable
    -all my SMTP config options were stripped from my configuration file and I had to restore them
  • Jan 3, 2021
    disabled the SMTP authentication when sending messages via RC. SMTP port changed to 25.

Read the release note at https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md for more info.

Upgrading

The upgrade process is quite straightforward; you simply have to untar the package in a temporary directory, move the old folder to be upgraded and run the upgrade shell script. I suppose that roundcube has to be installed in the /var/www folder.

RC_NEW=1.6.6
RC_OLD=1.6.5

cd /var/www
# remove old installation dir if still present
rm -r rc-temp

wget https://github.com/roundcube/roundcubemail/releases/download/${RC_NEW}/roundcubemail-${RC_NEW}-complete.tar.gz
tar xzf roundcubemail-${RC_NEW}-complete.tar.gz
# move new version folder to a temporary folder. We'll run the update from there
mv roundcubemail-${RC_NEW} rc-temp
# remove the symbolic link. We'll restore it later
rm roundcube
# move old version's folder to the new dir. We are going to overwrite it during the upgrade process..
cp -rp roundcubemail-${RC_OLD} roundcubemail-${RC_NEW}
# restore the symolic link
ln -s roundcubemail-${RC_NEW} roundcube
# Ready to start the upgrade..
./rc-temp/bin/installto.sh roundcube/

Follow the instructions. Be aware that this process requires that the php and rsync commands are in your PATH.

At the end you can erase the temporary folder and also the old installation folder:

rm -r rc-temp roundcubemail-${RC_OLD}

Now upgrade your installed plugins

sudo -u apache php composer.phar update --no-dev

Troubleshooting

The installation of the various plugins are now centralized in the https://plugins.roundcube.net/ repository, and the update process is managed via composer, which has to be updated itself when migrating from v. 1.3.x. Infact I received this warning as soon as I starded the plugins update process:

# sudo -u apache php composer.phar update --no-dev
Warning: This development build of composer is over 30 days old. It is recommended to update it by running "composer.phar self-update" to get the latest version

Unfortunately my installed composer turned out to be not compatible with php-7.2, so I had to upgrade it manually downloading and replacing the composer.phar file. Since composer has to be runned by apache, I had also to let apache overwrite this file for future self-upgrades (in my case it was owned by root:apache):

chmod g+w composer.phar

During my update attempts from command line, I realized that also the /srv folder must be writable by apache, because it has to create an inner "httpd" folder, so I granted full priviledges to apache in /srv

chown -R apache /srv/

To avoid errors remember to give apache write priviledges in the plugins and vendor folders and also to the composer.lock and composer.phar files:

chown -R apache vendor plugins composer.lock composer.phar

crypt_gpg caused me problems because of broken links that I solved in this way:

cd vendor/bin
rm crypt-gpg-pinentry
ln -s ../pear/crypt_gpg/scripts/crypt-gpg-pinentry crypt-gpg-pinentry

Another new requirement is that php needs ldap support in order to manage the updates via composer, so I had to enable ldap compiling php with this:

--with-ldap

Requirements

Before starting look at the basic requirements here.

I will show how install it in a Linux/Apache/MySQL/PHP + qmail environment.

php configuration

Here is a minimal php configuration which matches all the Rouncube's requirements above in my Slackware environment:

./configure \
        --with-libdir=lib64 \
        --with-mysqli=/usr/bin/mysql_config \
        --with-pdo-mysql=/usr \
        --disable-mysqlnd \
        --with-mcrypt \
        --enable-gd \
        --enable-mbstring \
        --with-zip \
        --with-zlib \
        --with-bz2 \
        --enable-sockets \
        --with-openssl \
        --enable-intl \
        --with-ldap

Note that an additional recommended extension is intl (--enable-intl), which is now bundled in PHP. intl requires the ICU headers and libraries.

Installing Roundcube

Download the tarball from http://roundcube.net/download, untar and set the folders' priviledges:

cd /var/www
tar xzf roundcubemail-x.x.x.tar.gz
ln -s roundcubemail-x.x.x roundcube
cd roundcube
chown -R root.apache .
chmod -R o-rx .
chmod g+w logs temp

Create the mysql user and database; grant that user limited priviledges. If MySQL and Apache live in the same host, use 127.0.0.1 as <apache-IP> in the following example (it has been reported that using localhost causes a segfault on php-7.4.33 during the install process):

> mysql -u root -p

CREATE USER 'roundcube'@'<apache-IP>' IDENTIFIED BY '***';
GRANT USAGE ON * . * TO 'roundcube'@'<apache-IP>' IDENTIFIED BY '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE DATABASE IF NOT EXISTS `roundcube` /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON `roundcube` . * TO 'roundcube'@'<apache-IP>';

Setup an apache virtual host like this

LOGDIR=/var/log/apache
DOMAIN=yourdomain.tld

<VirtualHost *:80> 
       ServerName webmail.${DOMAIN}
       RedirectMatch permanent ^/$ https://webmail.${DOMAIN}
</VirtualHost> 

<VirtualHost *:443> 
       Include <certs stuff>

       DocumentRoot /var/www/roundcube/ 
       ServerName webmail.${DOMAIN}

       CustomLog ${LOGDIR}/roundcube.f2b_SSL.log combined 
       ErrorLog  ${LOGDIR}/roundcube_error_SSL.log 

       <Directory /var/www/roundcube/> 
               Require all granted 
               AllowOverride All 
       </Directory> 

#       <Directory /var/www/roundcube-enigma-home/> 
#               Require all granted 
#       </Directory> 

       <IfModule mod_autoindex.c> 
               Options -Indexes 
       </ifModule> 
</VirtualHost>

Now point your browser to https://webmail.yourdomain.tld/installer/ and follow the instructions. I leave the setup options but the mysql interface (select mysqli if available in your http server). Don't forget to copy the database parameters and set the IMAP address IP. Set username_domain to your default_domain and it will be sufficient to log typing just the username.

Copy the file defaults.inc.php to config.inc.php inside the config folder. Now set the file privileges:

cd config
chown root.apache *
chmod o-r *

If all the tests are ok remove the installer folder as recommended and disable the installer:

$config['enable_installer'] = false;

I suggest to enable these options; of course you have to adjust them to your local configuration, expecially the paths to programs and files:

// ---------------------------------- 
// IMAP 
// ---------------------------------- 
// The IMAP host (and optionally port number) chosen to perform the log-in. 
// Leave blank to show a textbox at login, give a list of hosts 
// to display a pulldown menu or set one host as string. 
// Enter hostname with prefix ssl:// to use Implicit TLS, or use 
// prefix tls:// to use STARTTLS. 
// If port number is omitted it will be set to 993 (for ssl://) or 143 otherwise. 
// Supported replacement variables: 
// %n - hostname ($_SERVER['SERVER_NAME']) 
// %t - hostname without the first part 
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) 
// %s - domain name after the '@' from e-mail address provided at login screen 
// For example %n = mail.domain.tld, %t = domain.tld 
// WARNING: After hostname change update of mail_host column in users table is 
//          required to match old user data records with the new host. 
$config['imap_host'] = 'localhost:143';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'My Organization Name - Webmail';

// Log successful/failed logins to /userlogins or to syslog (important to activate fail2ban later)
$config['log_logins'] = true;
// Automatically add this domain to user names for login
$config['username_domain'] = 'yourdomain.net';
// default setting if preview pane is enabled
$config['preview_pane'] = true;
// declaring the auth type speeds up the imap connection with 0.5 version!!
$config['imap_auth_type'] = NULL;

// SMTP 
// SMTP server host (for sending mails). 
// Enter hostname with prefix tls:// to use STARTTLS, or use 
// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS) 
// Supported replacement variables: 
// %h - user's IMAP hostname 
// %n - hostname ($_SERVER['SERVER_NAME']) 
// %t - hostname without the first part 
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) 
// %z - IMAP domain (IMAP hostname without the first part) 
// For example %n = mail.domain.tld, %t = domain.tld 
$config['smtp_host'] = 'tls://domain.tld'; 
$config['smtp_auth_type'] = 'LOGIN';

// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
$config['force_https'] = true;
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '123456789123456789123456';
// Absolute path to a local mime.types mapping table file.
// This is used to derive mime-types from the filename extension or vice versa.
// Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
// download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
$config['mime_types'] = '/absolute/path/to/apache/conf/mime.types';
// path to imagemagick identify binary
$config['im_identify_path'] = '/usr/local/bin/identify';
// path to imagemagick convert binary
$config['im_convert_path'] = '/usr/local/bin/convert';
// use this format for date display (date or strftime format)
$config['date_format'] = 'd-m-Y';
// automatically create the above listed default folders on first login
$config['create_default_folders'] = true;
// If true all folders will be checked for recent messages
$config['check_all_folders'] = true;

// the new 'elastic' theme is the default in 1.4.1 version
$config['skin'] = 'elastic';

// Automatically register user in Roundcube database on successful (IMAP) logon. 
// Set to false if only registered users should be allowed to the webmail. 
// Note: If disabled you have to create records in Roundcube users table by yourself. 
// Note: Roundcube does not manage/create users on a mail server. 
$config['auto_create_user'] = true;

Be aware that we are forcing RoundCube to do the SMTP authentication even if it's not needed for security reasons. This is because the rcptcheck feature (i.e. limiting the auth-user max message per day) requires to identify the sender by the auth-user.

If the limit feature is not important for you, you can disable the authentication leaving blank values for $config['smtp_user'] and $config['smtp_pass'] and setting the port as 25.

Finding a mobile app

In spite of its Mobile Responsive Design, Roundcube is not suitable for mobile phones as it doesn't provide a valid app which at least notifies new mail incomings.

Among the Mobile Apps, I recently found FairEmail and liked it because it is secure, full featured, mature, open source, with no ads. One thing that impressed me is the "Conversation threading" feature, i.e. the capability to show threads merging both Inbox and Sent messages belonging to the same conversation, a feature that you don't expect to have in a free product.

Of course, when using a mobile app, it's not possible to manage the mailbox preferences.

Comments

Roundcube SMTP Test

Hi Roberto,

my submission port (587) is working fine while i used my Outlook to send email, but when i tried on Roundcube Test SMTP, it pop up the msg said: "SMTP Send: NOT OK (STARTTLS failed: ready for tls (Code: 220))"

below is my Roundcube config setting for SMTP:

$config['smtp_host'] = 'tls://127.0.0.1:587';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';
$config['smtp_auth_cid'] = null;
$config['smtp_auth_pw'] = null;
$config['smtp_xclient_login'] = false;
$config['smtp_xclient_addr'] = false;
$config['smtp_helo_host'] = '';
$config['smtp_timeout'] = 0;
$config['smtp_conn_options'] = null;

Reply |

Roundcube SMTP Test

Hi. Try to use port 25 with no auth

Reply |

Roundcube SMTP Test

Hi Roberto,

Thx and it works...

Reply |

roundcube host

CREATE USER 'roundcube'@'apache-IP' IDENTIFIED BY '***';

apache-IP if local must be '127.0.0.1' . if you make it 'localhost' php 7.4.33 fails with segfault when running roundcube/installer

wget http://download.icu-project.org/files/icu4c/4.8.1/icu4c-4_8_1-src.tgz - NOT here anymore

Reply |

roundcube host

thank you. corrected

Reply |

$config vs $rcmail_config

Hi,

I'm curious as to the mixing of $config[] and $rcmail_config[] directives in the config examples.

Also, roundcube is on version 1.0.2. 

As of version 1.0, the main.inc.php and db.inc.php are obsolete and there is only a config.inc.php to override the defaults.inc.php.

Regards

/ Otto

Reply |

it was a residue of the old 0.x

it was a residue of the old 0.x installation, where the config variable was actually $rcmail_config.  Corrected and updated to v. 1.0.2

thanks for the contribution

Reply |

Can't access just via webmail

Thank you for sharing this useful information with us.

I just updated my roundcube from v.0.9.5. to v.1.0.0, but now I can't access just via webmail, I need to also be accessed from Roundcube login page, so I'm logged in twice... Do you have any idea how can I fix it? 

Thank in advance!

Reply |

Re: Can't access just via webmail

I can't be of any help without details. Btw if you followed the upgrade procedure at the top of this page I remember that it didn't worked for me and I had to manually upgrade RC

Reply |

Thank you for reply, shell

Thank you for reply, shell script worked for me but I have to login twice and I can not solve the problem stems from, these are my details:

cPanel Version 11.42.1 (build 5)
Apache version 2.2.27
PHP version 5.4.26
MySQL version 5.5.36-cll
Architecture x86_64
Operating system linux
Mailserver: Courier

If you need I can give root password for WHM..

Reply |

I don't have any experience

I don't have any experience of cpanel, sorry

Reply |

Thanks anyway!

Thanks anyway!

Reply |