roundcube
Contents
About
Install
Install postgresql first
1 aptitude install postgresql
Install Apache2 to serve roundcube with plugins with a postgresql-backend via fastcgi over php-fpm (FastCGI Process Manager). You should consider installing roundcube from backports.
Configure Apache2
Enable Apache2 modules
1 a2enmod http2 headers ssl rewrite fcgid proxy_fcgi
Create and enable Apache2 vhost
/etc/apache2/sites-available/roundcube_ssl.conf
1 <VirtualHost _default_:80>
2 # The ServerName directive sets the request scheme, hostname and port that
3 # the server uses to identify itself. This is used when creating
4 # redirection URLs. In the context of virtual hosts, the ServerName
5 # specifies what hostname must appear in the request's Host: header to
6 # match this virtual host. For the default virtual host (this file) this
7 # value is not decisive as it is used as a last resort host regardless.
8 # However, you must set it for any further virtual host explicitly.
9 Define SERVER_NAME mx1.rockstable.it
10 ServerName ${SERVER_NAME}
11 ServerAlias mail.rockstable.it
12
13 DocumentRoot /var/www/html
14
15 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
16 # error, crit, alert, emerg.
17 # It is also possible to configure the loglevel for particular
18 # modules, e.g.
19 #LogLevel info ssl:warn
20
21 ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
22 CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
23
24 # For most configuration files from conf-available/, which are
25 # enabled or disabled at a global level, it is possible to
26 # include a line for only one particular virtual host. For example the
27 # following line enables the CGI configuration for this host only
28 # after it has been globally disabled with "a2disconf".
29 #Include conf-available/serve-cgi-bin.conf
30
31 ### Redirect anything up to the encrypted vHost
32 ### (breaks /server-status if certificate is invalid)
33 #RedirectMatch ^/(.*)$ https://${SERVER_NAME}/$1
34
35 ### Finally nothing leads around mod_rewrite
36 RewriteEngine on
37
38 RewriteCond %{REQUEST_URI} !=/server-status
39 RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
40
41 ### REDIRECT WRITTEN BY CERTBOT
42 #RewriteCond %{SERVER_NAME} =mail.rockstable.it [OR]
43 #RewriteCond %{SERVER_NAME} =mx1.rockstable.it
44 #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
45 </VirtualHost>
46
47 <IfModule mod_ssl.c>
48 <VirtualHost _default_:443>
49 Define SERVER_NAME mx1.rockstable.it
50 ServerName ${SERVER_NAME}
51 ServerAlias mail.rockstable.it
52 ServerAdmin webmaster@rockstable.it
53
54 DocumentRoot /var/www/html
55
56 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
57 # error, crit, alert, emerg.
58 # It is also possible to configure the loglevel for particular
59 # modules, e.g.
60 LogLevel info ssl:warn
61
62 ErrorLog ${APACHE_LOG_DIR}/error.log
63 CustomLog ${APACHE_LOG_DIR}/access.log combined
64
65 # For most configuration files from conf-available/, which are
66 # enabled or disabled at a global level, it is possible to
67 # include a line for only one particular virtual host. For example the
68 # following line enables the CGI configuration for this host only
69 # after it has been globally disabled with "a2disconf".
70 #Include conf-available/serve-cgi-bin.conf
71
72 # SSL Engine Switch:
73 # Enable/Disable SSL for this virtual host.
74 SSLEngine on
75
76 # A self-signed (snakeoil) certificate can be created by installing
77 # the ssl-cert package. See
78 # /usr/share/doc/apache2/README.Debian.gz for more info.
79 # If both key and certificate are stored in the same file, only the
80 # SSLCertificateFile directive is needed.
81 #SSLCertificateFile /etc/letsencrypt/live/rockstable.it/fullchain.pem
82 #SSLCertificateKeyFile /etc/letsencrypt/live/rockstable.it/privkey.pem
83 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
84 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
85
86 # Server Certificate Chain:
87 # Point SSLCertificateChainFile at a file containing the
88 # concatenation of PEM encoded CA certificates which form the
89 # certificate chain for the server certificate. Alternatively
90 # the referenced file can be the same as SSLCertificateFile
91 # when the CA certificates are directly appended to the server
92 # certificate for convinience.
93 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
94
95 # Certificate Authority (CA):
96 # Set the CA certificate verification path where to find CA
97 # certificates for client authentication or alternatively one
98 # huge file containing all of them (file must be PEM encoded)
99 # Note: Inside SSLCACertificatePath you need hash symlinks
100 # to point to the certificate files. Use the provided
101 # Makefile to update the hash symlinks after changes.
102 #SSLCACertificatePath /etc/ssl/certs/
103 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
104
105 # Certificate Revocation Lists (CRL):
106 # Set the CA revocation path where to find CA CRLs for client
107 # authentication or alternatively one huge file containing all
108 # of them (file must be PEM encoded)
109 # Note: Inside SSLCARevocationPath you need hash symlinks
110 # to point to the certificate files. Use the provided
111 # Makefile to update the hash symlinks after changes.
112 #SSLCARevocationPath /etc/apache2/ssl.crl/
113 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
114
115 # Client Authentication (Type):
116 # Client certificate verification type and depth. Types are
117 # none, optional, require and optional_no_ca. Depth is a
118 # number which specifies how deeply to verify the certificate
119 # issuer chain before deciding the certificate is not valid.
120 #SSLVerifyClient require
121 #SSLVerifyDepth 10
122
123 # SSL Engine Options:
124 # Set various options for the SSL engine.
125 # o FakeBasicAuth:
126 # Translate the client X.509 into a Basic Authorisation. This means that
127 # the standard Auth/DBMAuth methods can be used for access control. The
128 # user name is the `one line' version of the client's X.509 certificate.
129 # Note that no password is obtained from the user. Every entry in the user
130 # file needs this password: `xxj31ZMTZzkVA'.
131 # o ExportCertData:
132 # This exports two additional environment variables: SSL_CLIENT_CERT and
133 # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
134 # server (always existing) and the client (only existing when client
135 # authentication is used). This can be used to import the certificates
136 # into CGI scripts.
137 # o StdEnvVars:
138 # This exports the standard SSL/TLS related `SSL_*' environment variables.
139 # Per default this exportation is switched off for performance reasons,
140 # because the extraction step is an expensive operation and is usually
141 # useless for serving static content. So one usually enables the
142 # exportation for CGI and SSI requests only.
143 # o OptRenegotiate:
144 # This enables optimized SSL connection renegotiation handling when SSL
145 # directives are used in per-directory context.
146 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
147 #<FilesMatch "\.(cgi|shtml|phtml|php)$">
148 # SSLOptions +StdEnvVars
149 #</FilesMatch>
150 #<Directory /usr/lib/cgi-bin>
151 # SSLOptions +StdEnvVars
152 #</Directory>
153
154 # SSL Protocol Adjustments:
155 # The safe and default but still SSL/TLS standard compliant shutdown
156 # approach is that mod_ssl sends the close notify alert but doesn't wait for
157 # the close notify alert from client. When you need a different shutdown
158 # approach you can use one of the following variables:
159 # o ssl-unclean-shutdown:
160 # This forces an unclean shutdown when the connection is closed, i.e. no
161 # SSL close notify alert is send or allowed to received. This violates
162 # the SSL/TLS standard but is needed for some brain-dead browsers. Use
163 # this when you receive I/O errors because of the standard approach where
164 # mod_ssl sends the close notify alert.
165 # o ssl-accurate-shutdown:
166 # This forces an accurate shutdown when the connection is closed, i.e. a
167 # SSL close notify alert is send and mod_ssl waits for the close notify
168 # alert of the client. This is 100% SSL/TLS standard compliant, but in
169 # practice often causes hanging connections with brain-dead browsers. Use
170 # this only for browsers where you know that their SSL implementation
171 # works correctly.
172 # Notice: Most problems of broken clients are also related to the HTTP
173 # keep-alive facility, so you usually additionally want to disable
174 # keep-alive for those clients, too. Use variable "nokeepalive" for this.
175 # Similarly, one has to force some clients to use HTTP/1.0 to workaround
176 # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
177 # "force-response-1.0" for this.
178 # BrowserMatch "MSIE [2-6]" \
179 # nokeepalive ssl-unclean-shutdown \
180 # downgrade-1.0 force-response-1.0
181
182 ### Mozilla recommendations for
183 # Apache: 2.4.28
184 # OpenSSL: 1.1.1b
185
186 # HSTS (mod_headers is required) (15768000 seconds = 6 months)
187 #Header always set Strict-Transport-Security "max-age=15768000"
188
189 include "/etc/roundcube/apache.conf"
190
191 #Include /etc/letsencrypt/options-ssl-apache.conf
192 #SSLCertificateFile /etc/letsencrypt/live/rockstable.it/fullchain.pem
193 #SSLCertificateKeyFile /etc/letsencrypt/live/rockstable.it/privkey.pem
194
195 # Always ensure Cookies have "Secure" set (JAH 2012/1)
196 Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
197 </VirtualHost>
198 </IfModule>
199
200 # vim: syntax=apache ai ts=4 sw=4 sts=4 sr noet:
201
/etc/roundcube/apache.conf
1 # Those aliases do not work properly with several hosts on your apache server
2 # Uncomment them to use it or adapt them to your configuration
3 # Alias /roundcube /var/lib/roundcube
4
5 DocumentRoot /var/lib/roundcube
6
7 #ProxyPassMatch "^/myapp/.*\.php(/.*)?$" "fcgi://localhost:9000/var/www/" enablereuse=on
8 ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/run/php/php7.3-fpm.sock|fcgi://localhost/var/lib/roundcube"
9
10 <Directory /var/lib/roundcube/>
11 Options +FollowSymLinks
12 # This is needed to parse /var/lib/roundcube/.htaccess. See its
13 # content before setting AllowOverride to None.
14 AllowOverride All
15 <IfVersion >= 2.3>
16 Require all granted
17 </IfVersion>
18 <IfVersion < 2.3>
19 Order allow,deny
20 Allow from all
21 </IfVersion>
22
23 #SetHandler fcgid-script
24 #Options +ExecCGI
25 </Directory>
26
27 # Protecting basic directories:
28 <Directory /var/lib/roundcube/config>
29 Options -FollowSymLinks
30 AllowOverride None
31 </Directory>
32
33 <Directory /var/lib/roundcube/temp>
34 Options -FollowSymLinks
35 AllowOverride None
36 <IfVersion >= 2.3>
37 Require all denied
38 </IfVersion>
39 <IfVersion < 2.3>
40 Order allow,deny
41 Deny from all
42 </IfVersion>
43 </Directory>
44
45 <Directory /var/lib/roundcube/logs>
46 Options -FollowSymLinks
47 AllowOverride None
48 <IfVersion >= 2.3>
49 Require all denied
50 </IfVersion>
51 <IfVersion < 2.3>
52 Order allow,deny
53 Deny from all
54 </IfVersion>
55 </Directory>
1 a2ensite roundcube_ssl
Configure
1 dpkg-reconfigure roundcube-core
PHP-FPM configuration
Top match roundcubes needs some screws should be adjusted. https://github.com/roundcube/roundcubemail/wiki/Installation
Just append this to /etc/php/7.3/fpm/pool.d/www.conf
And change in /etc/php/7.3/fpm/php.ini
1 ; Maximum allowed size for uploaded files.
2 ; http://php.net/upload-max-filesize
3 ;upload_max_filesize = 2M
4 upload_max_filesize = 10M
5
6 ; Maximum size of POST data that PHP will accept.
7 ; Its value may be 0 to disable the limit. It is ignored if POST data reading
8 ; is disabled through enable_post_data_reading.
9 ; http://php.net/post-max-size
10 ;post_max_size = 8M
11 post_max_size = 12M
12
13 ; Defines the probability that the 'garbage collection' process is started
14 ; on every session initialization. The probability is calculated by using
15 ; gc_probability/gc_divisor. Where session.gc_probability is the numerator
16 ; and gc_divisor is the denominator in the equation. Setting this value to 1
17 ; when the session.gc_divisor value is 100 will give you approximately a 1% chance
18 ; the gc will run on any given request.
19 ; Default Value: 1
20 ; Development Value: 1
21 ; Production Value: 1
22 ; http://php.net/session.gc-probability
23 ;session.gc_probability = 0
24 session.gc_probability = 1
25
26 ; Defines the probability that the 'garbage collection' process is started on every
27 ; session initialization. The probability is calculated by using the following equation:
28 ; gc_probability/gc_divisor. Where session.gc_probability is the numerator and
29 ; session.gc_divisor is the denominator in the equation. Setting this value to 100
30 ; when the session.gc_probability value is 1 will give you approximately a 1% chance
31 ; the gc will run on any given request. Increasing this value to 1000 will give you
32 ; a 0.1% chance the gc will run on any given request. For high volume production servers,
33 ; this is a more efficient approach.
34 ; Default Value: 100
35 ; Development Value: 1000
36 ; Production Value: 1000
37 ; http://php.net/session.gc-divisor
38 ;session.gc_divisor = 1000
39 session.gc_divisor = 500
Roundcube customization
Roundcube can be customized by overriding the Defaults from /etc/roundcube/defaults.inc.php with /etc/roundcube/config.inc.php. Just copy the option into the config and adjust the value to whatever you want.
max_packet_size
If a large file upload fails
1 [21-Sep-2020 19:06:34 Europe/Berlin] PHP Warning: rcube_cache: max_packet_size (2095152) exceeded for key 14326867695f68dd434d8018f4084905a7542a6b354890491284ca7. Tried to write 4817944 bytes in /usr/share/roundcube/program/lib/Roundcube/rcube_cache.php on line 343
2 [21-Sep-2020 19:21:51 Europe/Berlin] PHP Warning: rcube_cache: max_packet_size (2095152) exceeded for key 14326867695f68dd434d8010a73c0ed4864a4340805c82e21bf34ca. Tried to write 2691344 bytes in /usr/share/roundcube/program/lib/Roundcube/rcube_cache.php on line 343
You may increase db_max_allowed_packet from the default "2097152" to your max upload size.
1 // It is possible to specify database variable values e.g. some limits here.
2 // Use them if your server is not MySQL or for better performance.
3 // For example Roundcube uses max_allowed_packet value (in bytes)
4 // which limits query size for database cache operations.
5 //$config['db_max_allowed_packet'] = null;
6 $config['db_max_allowed_packet'] = 10485760;
Restart php-fpm daemon
1 systemctl restart php7.3-fpm.service
Roundcube Plugins
Install plugins maintained by roundcube authors
1 aptitude install roundcube-plugins
Enable plugins
/etc/roundcube/config.inc.php
1 // List of active plugins (in plugins/ directory)
2 // Debian: install roundcube-plugins first to have any
3 $config['plugins'] = array(
4 'acl'
5 ,'additional_message_headers'
6 ,'archive'
7 ,'attachment_reminder'
8 ,'authres_status'
9 ,'autologon'
10 ,'compose_addressbook'
11 ,'contextmenu'
12 //,'database_attachments'
13 ,'debug_logger'
14 ,'dovecot_impersonate'
15 ,'emoticons'
16 ,'enigma'
17 //,'example_addressbook'
18 ,'fail2ban'
19 ,'filesystem_attachments'
20 ,'help'
21 ,'hide_blockquote'
22 ,'html5_notifier'
23 ,'http_authentication'
24 ,'identicon'
25 ,'identity_select'
26 ,'jqueryui'
27 ,'keyboard_shortcuts'
28 ,'krb_authentication'
29 ,'listcommands'
30 ,'managesieve'
31 ,'markasjunk'
32 ,'message_highlight'
33 ,'newmail_notifier'
34 ,'new_user_dialog'
35 ,'new_user_identity'
36 ,'password'
37 //,'redundant_attachments'
38 //,'sauserprefs'
39 ,'show_additional_headers'
40 ,'squirrelmail_usercopy'
41 ,'subscriptions_option'
42 ,'thunderbird_labels'
43 ,'userinfo'
44 ,'vcard_attachments'
45 ,'virtuser_file'
46 ,'virtuser_query'
47 ,'zipdownload'
48 );
Configure Plugins
Some plugins have additional dependencies to by satified.
Enigma
php-crypt-gpg is only available in Jessie or Sid. => SID
Lower Priority of sid to the minimum /etc/apt/preferences.d/zz_releases
Add Sid to package sources /etc/apt/sources.list.d/sid.list
1 aptitude install php-crypt-gpg
Prepare directory (writeable by php-fpm-user)
1 install -o www-data -g www-data -m 750 -d /var/lib/roundcube_enigma
Config
1 <?php
2 // Empty configuration for enigma
3 // See /usr/share/roundcube/plugins/enigma/config.inc.php.dist for instructions
4 // Check the access right of the file if you put sensitive information in it.
5 // $config=array();
6
7 // Enigma Plugin options
8 // --------------------
9
10 // A driver to use for PGP. Default: "gnupg".
11 $config['enigma_pgp_driver'] = 'gnupg';
12
13 // A driver to use for S/MIME. Default: "phpssl".
14 $config['enigma_smime_driver'] = 'phpssl';
15
16 // Enables logging of enigma operations (including Crypt_GPG debug info)
17 $config['enigma_debug'] = false;
18
19 // Keys directory for all users. Default 'enigma/home'.
20 // Must be writeable by PHP process
21 $config['enigma_pgp_homedir'] = '/var/lib/roundcube_enigma';
22
23 // Location of gpg binary. By default it will be auto-detected.
24 // This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
25 $config['enigma_pgp_binary'] = '';
26
27 // Location of gpg-agent binary. By default it will be auto-detected.
28 // It's used with GnuPG 2.x.
29 $config['enigma_pgp_agent'] = '';
30
31 // Location of gpgconf binary. By default it will be auto-detected.
32 // It's used with GnuPG >= 2.1.
33 $config['enigma_pgp_gpgconf'] = '';
34
35 // Enables signatures verification feature.
36 $config['enigma_signatures'] = true;
37
38 // Enables messages decryption feature.
39 $config['enigma_decryption'] = true;
40
41 // Enables messages encryption and signing feature.
42 $config['enigma_encryption'] = true;
43
44 // Enable signing all messages by default
45 $config['enigma_sign_all'] = false;
46
47 // Enable encrypting all messages by default
48 $config['enigma_encrypt_all'] = false;
49
50 // Enable attaching a public key to all messages by default
51 $config['enigma_attach_pubkey'] = false;
52
53 // Default for how long to store private key passwords (in minutes).
54 // When set to 0 passwords will be stored for the whole session.
55 $config['enigma_password_time'] = 5;
56
57 // With this option you can lock composing options
58 // of the plugin forcing the user to use configured settings.
59 // The array accepts: 'sign', 'encrypt', 'pubkey'.
60 //
61 // For example, to force your users to sign every email,
62 // you should set:
63 // - enigma_sign_all = true
64 // - enigma_options_lock = array('sign')
65 // - dont_override = array('enigma_sign_all')
66 $config['enigma_options_lock'] = array();
67 ?>
zipdownload
1 aptitude install php-zip
3rd party plugins - Debian package
Install 3rd-party plugins not directly maintained by roundcube authors
1 aptitude install roundcube-plugins-extra
3rd party plugins via composer
#wip
Install instructions
https://plugins.roundcube.net/#/
Browse the repository
https://packagist.org/?type=roundcube-plugin
PHP dependency management via
https://getcomposer.org/download/
Install composer
1 aptitude install composer
There is a composer file
/usr/share/roundcube/composer.json