May 19, 2024: Roundcube webmail 1.6.7 security fix. It is sufficient to update Roundcube to the latest version.
- Info: https://roundcube.net
- Version: 1.6.9
Roundcube is a full featured webmail with a nice interface.
Changelog
- Sep 7, 2024
RC update to v. 1.6.9 - May 19, 2024
RC update to v. 1.6.7 (security fix) - Gen 21, 2024
RC upgraded to v. 1.6.6
-new $config['imap_host'] variable
-all my SMTP config options were stripped from my configuration file and I had to restore them - Jan 3, 2021
disabled the SMTP authentication when sending messages via RC. SMTP port changed to 25.
Read the release note at https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md for more info.
Upgrading
The upgrade process is quite straightforward; you simply have to untar the package in a temporary directory, move the old folder to be upgraded and run the upgrade shell script. I suppose that roundcube has to be installed in the /var/www folder.
RC_NEW=1.6.9 RC_OLD=1.6.8 cd /var/www # remove old installation dir if still present rm -r rc-temp wget https://github.com/roundcube/roundcubemail/releases/download/${RC_NEW}/roundcubemail-${RC_NEW}-complete.tar.gz tar xzf roundcubemail-${RC_NEW}-complete.tar.gz # move new version folder to a temporary folder. We'll run the update from there mv roundcubemail-${RC_NEW} rc-temp # remove the symbolic link. We'll restore it later rm roundcube # move old version's folder to the new dir. We are going to overwrite it during the upgrade process.. cp -rp roundcubemail-${RC_OLD} roundcubemail-${RC_NEW} # restore the symolic link ln -s roundcubemail-${RC_NEW} roundcube # Ready to start the upgrade.. ./rc-temp/bin/installto.sh roundcube/
Follow the instructions. Be aware that this process requires that the php and rsync commands are in your PATH.
At the end you can erase the temporary folder and also the old installation folder:
rm -r rc-temp roundcubemail-${RC_OLD}
Now upgrade your installed plugins
sudo -u apache php composer.phar update --no-dev
Troubleshooting
The installation of the various plugins are now centralized in the https://plugins.roundcube.net/ repository, and the update process is managed via composer
, which has to be updated itself when migrating from v. 1.3.x. Infact I received this warning as soon as I starded the plugins update process:
# sudo -u apache php composer.phar update --no-dev Warning: This development build of composer is over 30 days old. It is recommended to update it by running "composer.phar self-update" to get the latest version
Unfortunately my installed composer
turned out to be not compatible with php-7.2
, so I had to upgrade it manually downloading and replacing the composer.phar
file. Since
composer
has to be runned by apache
, I had also to let apache
overwrite this file for future self-upgrades (in my case it was owned by root:apache
):
chmod g+w composer.phar
During my update attempts from command line, I realized that also the /srv folder must be writable by apache, because it has to create an inner "httpd" folder, so I granted full priviledges to apache
in /srv
chown -R apache /srv/
To avoid errors remember to give apache
write priviledges in the plugins
and vendor
folders and also to the composer.lock
and composer.phar
files:
chown -R apache vendor plugins composer.lock composer.phar
crypt_gpg
caused me problems because of broken links that I solved in this way:
cd vendor/bin rm crypt-gpg-pinentry ln -s ../pear/crypt_gpg/scripts/crypt-gpg-pinentry crypt-gpg-pinentry
Another new requirement is that php
needs ldap
support in order to manage the updates via composer
, so I had to enable ldap
compiling php
with this:
--with-ldap
Requirements
Before starting look at the basic requirements here.
I will show how install it in a Linux/Apache/MySQL/PHP
+ qmail
environment.
php
configuration
Here is a minimal php configuration which matches all the Rouncube's requirements above in my Slackware
environment:
./configure \ --with-libdir=lib64 \ --with-mysqli=/usr/bin/mysql_config \ --with-pdo-mysql=/usr \ --disable-mysqlnd \ --with-mcrypt \ --enable-gd \ --enable-mbstring \ --with-zip \ --with-zlib \ --with-bz2 \ --enable-sockets \ --with-openssl \ --enable-intl \ --with-ldap
Note that an additional recommended extension is intl
(--enable-intl
), which is now bundled in PHP. intl
requires the ICU headers and libraries.
Installing Roundcube
Download the tarball from http://roundcube.net/download, untar and set the folders' priviledges:
cd /var/www tar xzf roundcubemail-x.x.x.tar.gz ln -s roundcubemail-x.x.x roundcube cd roundcube chown -R root.apache . chmod -R o-rx . chmod g+w logs temp
Create the mysql
user and database; grant that user limited priviledges. If MySQL
and Apache live in the same host, use 127.0.0.1
as <apache-IP> in the following example (it has been reported that using localhost
causes a segfault on php-7.4.33
during the install process):
> mysql -u root -p CREATE USER 'roundcube'@'<apache-IP>' IDENTIFIED BY '***'; GRANT USAGE ON * . * TO 'roundcube'@'<apache-IP>' IDENTIFIED BY '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; CREATE DATABASE IF NOT EXISTS `roundcube` /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; GRANT ALL PRIVILEGES ON `roundcube` . * TO 'roundcube'@'<apache-IP>';
Setup an apache virtual host like this
LOGDIR=/var/log/apache DOMAIN=yourdomain.tld <VirtualHost *:80> ServerName webmail.${DOMAIN} RedirectMatch permanent ^/$ https://webmail.${DOMAIN} </VirtualHost> <VirtualHost *:443> Include <certs stuff> DocumentRoot /var/www/roundcube/ ServerName webmail.${DOMAIN} CustomLog ${LOGDIR}/roundcube.f2b_SSL.log combined ErrorLog ${LOGDIR}/roundcube_error_SSL.log <Directory /var/www/roundcube/> Require all granted AllowOverride All </Directory> # <Directory /var/www/roundcube-enigma-home/> # Require all granted # </Directory> <IfModule mod_autoindex.c> Options -Indexes </ifModule> </VirtualHost>
Now point your browser to https://webmail.yourdomain.tld/installer/
and follow the instructions. I leave the setup options but the mysql interface (select mysqli
if available in your http server). Don't forget to copy the database parameters and set the IMAP address IP. Set username_domain
to your default_domain and it will be sufficient to log typing just the username.
Copy the file defaults.inc.php
inside the config folder. Now set the file privileges: to
config.inc.php
cd config chown root.apache * chmod o-r *
If all the tests are ok remove the installer folder as recommended and disable the installer:
$config['enable_installer'] = false;
I suggest to enable these options; of course you have to adjust them to your local configuration, expecially the paths to programs and files:
// ---------------------------------- // IMAP // ---------------------------------- // The IMAP host (and optionally port number) chosen to perform the log-in. // Leave blank to show a textbox at login, give a list of hosts // to display a pulldown menu or set one host as string. // Enter hostname with prefix ssl:// to use Implicit TLS, or use // prefix tls:// to use STARTTLS. // If port number is omitted it will be set to 993 (for ssl://) or 143 otherwise. // Supported replacement variables: // %n - hostname ($_SERVER['SERVER_NAME']) // %t - hostname without the first part // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) // %s - domain name after the '@' from e-mail address provided at login screen // For example %n = mail.domain.tld, %t = domain.tld // WARNING: After hostname change update of mail_host column in users table is // required to match old user data records with the new host. $config['imap_host'] = 'localhost:143'; // Name your service. This is displayed on the login screen and in the window title $config['product_name'] = 'My Organization Name - Webmail'; // Log successful/failed logins to /userlogins or to syslog (important to activate fail2ban later) $config['log_logins'] = true; // Automatically add this domain to user names for login $config['username_domain'] = 'yourdomain.net'; // default setting if preview pane is enabled $config['preview_pane'] = true; // declaring the auth type speeds up the imap connection with 0.5 version!! $config['imap_auth_type'] = NULL; // SMTP // SMTP server host (for sending mails). // Enter hostname with prefix tls:// to use STARTTLS, or use // prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS) // Supported replacement variables: // %h - user's IMAP hostname // %n - hostname ($_SERVER['SERVER_NAME']) // %t - hostname without the first part // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) // %z - IMAP domain (IMAP hostname without the first part) // For example %n = mail.domain.tld, %t = domain.tld $config['smtp_host'] = 'tls://domain.tld'; $config['smtp_auth_type'] = 'LOGIN'; // enforce connections over https // with this option enabled, all non-secure connections will be redirected. // set the port for the ssl connection as value of this option if it differs from the default 443 $config['force_https'] = true; // this key is used to encrypt the users imap password which is stored // in the session record (and the client cookie if remember password is enabled). // please provide a string of exactly 24 chars. $config['des_key'] = '123456789123456789123456'; // Absolute path to a local mime.types mapping table file. // This is used to derive mime-types from the filename extension or vice versa. // Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system, // download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types $config['mime_types'] = '/absolute/path/to/apache/conf/mime.types'; // path to imagemagick identify binary $config['im_identify_path'] = '/usr/local/bin/identify'; // path to imagemagick convert binary $config['im_convert_path'] = '/usr/local/bin/convert'; // use this format for date display (date or strftime format) $config['date_format'] = 'd-m-Y'; // automatically create the above listed default folders on first login $config['create_default_folders'] = true; // If true all folders will be checked for recent messages $config['check_all_folders'] = true; // the new 'elastic' theme is the default in 1.4.1 version $config['skin'] = 'elastic'; // Automatically register user in Roundcube database on successful (IMAP) logon. // Set to false if only registered users should be allowed to the webmail. // Note: If disabled you have to create records in Roundcube users table by yourself. // Note: Roundcube does not manage/create users on a mail server. $config['auto_create_user'] = true;
Be aware that we are forcing RoundCube to do the SMTP authentication even if it's not needed for security reasons. This is because the rcptcheck feature (i.e. limiting the auth-user
max message per day) requires to identify the sender by the auth-user
.
If the limit feature is not important for you, you can disable the authentication leaving blank values for $config['smtp_user']
and $config['smtp_pass']
and setting the port as 25.
Finding a mobile app
In spite of its Mobile Responsive Design, Roundcube is not suitable for mobile phones as it doesn't provide a valid app which at least notifies new mail incomings.
Among the Mobile Apps, I recently found FairEmail and liked it because it is secure, full featured, mature, open source, with no ads. One thing that impressed me is the "Conversation threading" feature, i.e. the capability to show threads merging both Inbox and Sent messages belonging to the same conversation, a feature that you don't expect to have in a free product.
Of course, when using a mobile app, it's not possible to manage the mailbox preferences.
Comments
Roundcube SMTP Test
Kenny Lee March 11, 2024 06:19 CET
Hi Roberto,
my submission port (587) is working fine while i used my Outlook to send email, but when i tried on Roundcube Test SMTP, it pop up the msg said: "SMTP Send: NOT OK (STARTTLS failed: ready for tls (Code: 220))"
below is my Roundcube config setting for SMTP:
Reply | Permalink
Roundcube SMTP Test
Roberto Puzzanghera Kenny Lee March 11, 2024 09:39 CET
Hi. Try to use port 25 with no auth
Reply | Permalink
Roundcube SMTP Test
Kenny Lee Roberto Puzzanghera March 11, 2024 10:04 CET
Hi Roberto,
Thx and it works...
Reply | Permalink
roundcube host
Ivelin Topalov March 6, 2024 00:10 CET
apache-IP if local must be '127.0.0.1' . if you make it 'localhost' php 7.4.33 fails with segfault when running roundcube/installer
wget http://download.icu-project.org/files/icu4c/4.8.1/icu4c-4_8_1-src.tgz - NOT here anymore
Reply | Permalink
roundcube host
Roberto Puzzanghera Ivelin Topalov March 6, 2024 08:04 CET
thank you. corrected
Reply | Permalink
$config vs $rcmail_config
Otto Dandenell August 26, 2014 19:37 CET
Hi,
I'm curious as to the mixing of $config[] and $rcmail_config[] directives in the config examples.
Also, roundcube is on version 1.0.2.
As of version 1.0, the main.inc.php and db.inc.php are obsolete and there is only a config.inc.php to override the defaults.inc.php.
Regards
/ Otto
Reply | Permalink
it was a residue of the old 0.x
roberto puzzanghera Otto Dandenell August 26, 2014 20:16 CET
it was a residue of the old 0.x installation, where the config variable was actually $rcmail_config. Corrected and updated to v. 1.0.2
thanks for the contribution
Reply | Permalink
Can't access just via webmail
Anonymous April 14, 2014 19:06 CET
Thank you for sharing this useful information with us.
I just updated my roundcube from v.0.9.5. to v.1.0.0, but now I can't access just via webmail, I need to also be accessed from Roundcube login page, so I'm logged in twice... Do you have any idea how can I fix it?
Thank in advance!
Reply | Permalink
Re: Can't access just via webmail
roberto puzzanghera Anonymous April 14, 2014 19:55 CET
I can't be of any help without details. Btw if you followed the upgrade procedure at the top of this page I remember that it didn't worked for me and I had to manually upgrade RC
Reply | Permalink
Thank you for reply, shell
Anonymous roberto puzzanghera April 14, 2014 20:26 CET
Thank you for reply, shell script worked for me but I have to login twice and I can not solve the problem stems from, these are my details:
cPanel Version 11.42.1 (build 5)
Apache version 2.2.27
PHP version 5.4.26
MySQL version 5.5.36-cll
Architecture x86_64
Operating system linux
Mailserver: Courier
If you need I can give root password for WHM..
Reply | Permalink
I don't have any experience
roberto puzzanghera Anonymous April 14, 2014 20:29 CET
I don't have any experience of cpanel, sorry
Reply | Permalink
Thanks anyway!
Anonymous roberto puzzanghera April 14, 2014 20:32 CET
Thanks anyway!
Reply | Permalink