Roundcube webmail

May 19, 2024: Roundcube webmail 1.6.7 security fix. It is sufficient to update Roundcube to the latest version.

• Info: https://roundcube.net
• Version: 1.6.9

Roundcube is a full featured webmail with a nice interface.

Changelog

• Sep 7, 2024
  RC update to v. 1.6.9
• May 19, 2024
  RC update to v. 1.6.7 (security fix)
• Gen 21, 2024
  RC upgraded to v. 1.6.6
  -new $config['imap_host'] variable
  -all my SMTP config options were stripped from my configuration file and I had to restore them
• Jan 3, 2021
  disabled the SMTP authentication when sending messages via RC. SMTP port changed to 25.

Read the release note at https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md for more info.

Upgrading

The upgrade process is quite straightforward; you simply have to untar the package in a temporary directory, move the old folder to be upgraded and run the upgrade shell script. I suppose that roundcube has to be installed in the /var/www folder.

RC_NEW=1.6.9
RC_OLD=1.6.8

cd /var/www
# remove old installation dir if still present
rm -r rc-temp

wget https://github.com/roundcube/roundcubemail/releases/download/${RC_NEW}/roundcubemail-${RC_NEW}-complete.tar.gz
tar xzf roundcubemail-${RC_NEW}-complete.tar.gz
# move new version folder to a temporary folder. We'll run the update from there
mv roundcubemail-${RC_NEW} rc-temp
# remove the symbolic link. We'll restore it later
rm roundcube
# move old version's folder to the new dir. We are going to overwrite it during the upgrade process..
cp -rp roundcubemail-${RC_OLD} roundcubemail-${RC_NEW}
# restore the symolic link
ln -s roundcubemail-${RC_NEW} roundcube
# Ready to start the upgrade..
./rc-temp/bin/installto.sh roundcube/

Follow the instructions. Be aware that this process requires that the php and rsync commands are in your PATH.

At the end you can erase the temporary folder and also the old installation folder:

rm -r rc-temp roundcubemail-${RC_OLD}

Now upgrade your installed plugins

sudo -u apache php composer.phar update --no-dev

Troubleshooting

The installation of the various plugins are now centralized in the https://plugins.roundcube.net/ repository, and the update process is managed via composer, which has to be updated itself when migrating from v. 1.3.x. Infact I received this warning as soon as I starded the plugins update process:

# sudo -u apache php composer.phar update --no-dev
Warning: This development build of composer is over 30 days old. It is recommended to update it by running "composer.phar self-update" to get the latest version

Unfortunately my installed composer turned out to be not compatible with php-7.2, so I had to upgrade it manually downloading and replacing the composer.phar file. Since composer has to be runned by apache, I had also to let apache overwrite this file for future self-upgrades (in my case it was owned by root:apache):

chmod g+w composer.phar

During my update attempts from command line, I realized that also the /srv folder must be writable by apache, because it has to create an inner "httpd" folder, so I granted full priviledges to apache in /srv

chown -R apache /srv/

To avoid errors remember to give apache write priviledges in the plugins and vendor folders and also to the composer.lock and composer.phar files:

chown -R apache vendor plugins composer.lock composer.phar

crypt_gpg caused me problems because of broken links that I solved in this way:

cd vendor/bin
rm crypt-gpg-pinentry
ln -s ../pear/crypt_gpg/scripts/crypt-gpg-pinentry crypt-gpg-pinentry

Another new requirement is that php needs ldap support in order to manage the updates via composer, so I had to enable ldap compiling php with this:

--with-ldap

Requirements

Before starting look at the basic requirements here.

I will show how install it in a Linux/Apache/MySQL/PHP + qmail environment.

php configuration

Here is a minimal php configuration which matches all the Rouncube's requirements above in my Slackware environment:

./configure \
        --with-libdir=lib64 \
        --with-mysqli=/usr/bin/mysql_config \
        --with-pdo-mysql=/usr \
        --disable-mysqlnd \
        --with-mcrypt \
        --enable-gd \
        --enable-mbstring \
        --with-zip \
        --with-zlib \
        --with-bz2 \
        --enable-sockets \
        --with-openssl \
        --enable-intl \
        --with-ldap

Note that an additional recommended extension is intl (--enable-intl), which is now bundled in PHP. intl requires the ICU headers and libraries.

Installing Roundcube

Download the tarball from http://roundcube.net/download, untar and set the folders' priviledges:

cd /var/www
tar xzf roundcubemail-x.x.x.tar.gz
ln -s roundcubemail-x.x.x roundcube
cd roundcube
chown -R root.apache .
chmod -R o-rx .
chmod g+w logs temp

Create the mysql user and database; grant that user limited priviledges. If MySQL and Apache live in the same host, use 127.0.0.1 as <apache-IP> in the following example (it has been reported that using localhost causes a segfault on php-7.4.33 during the install process):

> mysql -u root -p

CREATE USER 'roundcube'@'<apache-IP>' IDENTIFIED BY '***';
GRANT USAGE ON * . * TO 'roundcube'@'<apache-IP>' IDENTIFIED BY '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE DATABASE IF NOT EXISTS `roundcube` /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON `roundcube` . * TO 'roundcube'@'<apache-IP>';

Setup an apache virtual host like this

LOGDIR=/var/log/apache
DOMAIN=yourdomain.tld

<VirtualHost *:80> 
       ServerName webmail.${DOMAIN}
       RedirectMatch permanent ^/$ https://webmail.${DOMAIN}
</VirtualHost> 

<VirtualHost *:443> 
       Include <certs stuff>

       DocumentRoot /var/www/roundcube/ 
       ServerName webmail.${DOMAIN}

       CustomLog ${LOGDIR}/roundcube.f2b_SSL.log combined 
       ErrorLog  ${LOGDIR}/roundcube_error_SSL.log 

       <Directory /var/www/roundcube/> 
               Require all granted 
               AllowOverride All 
       </Directory> 

#       <Directory /var/www/roundcube-enigma-home/> 
#               Require all granted 
#       </Directory> 

       <IfModule mod_autoindex.c> 
               Options -Indexes 
       </ifModule> 
</VirtualHost>

Now point your browser to https://webmail.yourdomain.tld/installer/ and follow the instructions. I leave the setup options but the mysql interface (select mysqli if available in your http server). Don't forget to copy the database parameters and set the IMAP address IP. Set username_domain to your default_domain and it will be sufficient to log typing just the username.

Copy the file defaults.inc.php to config.inc.php inside the config folder. Now set the file privileges:

cd config
chown root.apache *
chmod o-r *

If all the tests are ok remove the installer folder as recommended and disable the installer:

$config['enable_installer'] = false;

I suggest to enable these options; of course you have to adjust them to your local configuration, expecially the paths to programs and files:

// ---------------------------------- 
// IMAP 
// ---------------------------------- 
// The IMAP host (and optionally port number) chosen to perform the log-in. 
// Leave blank to show a textbox at login, give a list of hosts 
// to display a pulldown menu or set one host as string. 
// Enter hostname with prefix ssl:// to use Implicit TLS, or use 
// prefix tls:// to use STARTTLS. 
// If port number is omitted it will be set to 993 (for ssl://) or 143 otherwise. 
// Supported replacement variables: 
// %n - hostname ($_SERVER['SERVER_NAME']) 
// %t - hostname without the first part 
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) 
// %s - domain name after the '@' from e-mail address provided at login screen 
// For example %n = mail.domain.tld, %t = domain.tld 
// WARNING: After hostname change update of mail_host column in users table is 
//          required to match old user data records with the new host. 
$config['imap_host'] = 'localhost:143';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'My Organization Name - Webmail';

// Log successful/failed logins to /userlogins or to syslog (important to activate fail2ban later)
$config['log_logins'] = true;
// Automatically add this domain to user names for login
$config['username_domain'] = 'yourdomain.net';
// default setting if preview pane is enabled
$config['preview_pane'] = true;
// declaring the auth type speeds up the imap connection with 0.5 version!!
$config['imap_auth_type'] = NULL;

// SMTP 
// SMTP server host (for sending mails). 
// Enter hostname with prefix tls:// to use STARTTLS, or use 
// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS) 
// Supported replacement variables: 
// %h - user's IMAP hostname 
// %n - hostname ($_SERVER['SERVER_NAME']) 
// %t - hostname without the first part 
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) 
// %z - IMAP domain (IMAP hostname without the first part) 
// For example %n = mail.domain.tld, %t = domain.tld 
$config['smtp_host'] = 'tls://domain.tld'; 
$config['smtp_auth_type'] = 'LOGIN';

// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
$config['force_https'] = true;
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '123456789123456789123456';
// Absolute path to a local mime.types mapping table file.
// This is used to derive mime-types from the filename extension or vice versa.
// Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
// download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
$config['mime_types'] = '/absolute/path/to/apache/conf/mime.types';
// path to imagemagick identify binary
$config['im_identify_path'] = '/usr/local/bin/identify';
// path to imagemagick convert binary
$config['im_convert_path'] = '/usr/local/bin/convert';
// use this format for date display (date or strftime format)
$config['date_format'] = 'd-m-Y';
// automatically create the above listed default folders on first login
$config['create_default_folders'] = true;
// If true all folders will be checked for recent messages
$config['check_all_folders'] = true;

// the new 'elastic' theme is the default in 1.4.1 version
$config['skin'] = 'elastic';

// Automatically register user in Roundcube database on successful (IMAP) logon. 
// Set to false if only registered users should be allowed to the webmail. 
// Note: If disabled you have to create records in Roundcube users table by yourself. 
// Note: Roundcube does not manage/create users on a mail server. 
$config['auto_create_user'] = true;

Be aware that we are forcing RoundCube to do the SMTP authentication even if it's not needed for security reasons. This is because the rcptcheck feature (i.e. limiting the auth-user max message per day) requires to identify the sender by the auth-user.

If the limit feature is not important for you, you can disable the authentication leaving blank values for $config['smtp_user'] and $config['smtp_pass'] and setting the port as 25.

Finding a mobile app

In spite of its Mobile Responsive Design, Roundcube is not suitable for mobile phones as it doesn't provide a valid app which at least notifies new mail incomings.

Among the Mobile Apps, I recently found FairEmail and liked it because it is secure, full featured, mature, open source, with no ads. One thing that impressed me is the "Conversation threading" feature, i.e. the capability to show threads merging both Inbox and Sent messages belonging to the same conversation, a feature that you don't expect to have in a free product.

Of course, when using a mobile app, it's not possible to manage the mailbox preferences.

$config['smtp_host'] = 'tls://127.0.0.1:587';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';
$config['smtp_auth_cid'] = null;
$config['smtp_auth_pw'] = null;
$config['smtp_xclient_login'] = false;
$config['smtp_xclient_addr'] = false;
$config['smtp_helo_host'] = '';
$config['smtp_timeout'] = 0;
$config['smtp_conn_options'] = null;

$config['smtp_host'] = 'tls://mydomain.tld'; 
$config['smtp_auth_type'] = 'LOGIN';

$config['smtp_host'] = 'tls://smtp.mydomain.jp:587';
$config['smtp_auth_type'] = 'LOGIN';

$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true,
'verify_depth' => 3,
'cafile' => '/etc/ssl/private/mydomain.jp.chained.crt',
),
);

$config['smtp_timeout'] = 60;

CREATE USER 'roundcube'@'apache-IP' IDENTIFIED BY '***';