Installing a mailserver on Debian 8/9 – Part 5: Web interface: Roundcube

How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

~ the howto that actually works ~

Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments

Installation

For Roundcube’s installation remember that you need to have backports set up if you are running Debian 8. Alternatively download Roundcube yourself but that will render the next part of this article party invalid.

# aptitude install roundcube roundcube-plugins

Configure database for roundcube with dbconfig-common? ==> Yes.

Database type to be used by roundcube: mysql

Database password: your MySQL root password

I had a random password generated.

Tell the webserver about Roundcube

In /etc/roundcube/apache.conf uncomment

Alias /roundcube /var/lib/roundcube

Reload Apache’s config:

# service apache2 reload

Change the default session key

In /etc/roundcube/config.inc.php change the sample key used for remembering passwords:

// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = '321UseYourOwnKeyHere4567';

Remove Server field from logon screen

In /etc/roundcube/config.inc.php change

$config['default_host'] = '';

$config['default_host'] = 'localhost';

This will remove the Server field on Roundcube’s logon screen since we’re only ever going to use it to view mail on the same server Roundcube is installed on.

Monitor /var/log/apache2/error.log and /var/log/roundcube/error.log for errors.

At this point you can browse to https://example.com/roundcube.

However your only account has no password set yet so let’s do that first.

Set a user passwords

doveadm is a command line Dovecot administration tool. Read man doveadm c.q. man doveadm-pw for more information.

# doveadm pw -s SHA512-CRYPT

Enter your password, then confirm. Doveadm will generate a string that starts with “{SHA512-CRYPT}$6$”. Copy the entire string except for “{SHA512-CRYPT}”, so incuding the “$6$” and in phpMyAdmin paste it in the password field for your user.

On the command line:

# mysql -u root -p
mysql> UPDATE `postfix`.`addresses` SET `pwd` = '$6$QohFKnpbY8fKjw0e923d0501zmhd7YlfQtyBFk6SXGu8GK7H8Vtt1poOs2x6hFPmwU7.z4g7ZCnvGk0yRU4vZGkDW/1hGT5dI82it51' WHERE `email` = "tinus@example.com";
mysql> quit

Log in to the Roundcube web interface with the user’s full e-mail address as the username, the password you have just entered twice (not the encrypted version obviously but the thing you typed).

If you can’t log in check your /var/log/mail.log and /var/log/roundcube/errors. /var/log/roundcube/errors always generates some PHP errors on my machine. I think they’re the results of buggy PHP but they don’t seem to prevent Roundcube from working properly. Point is, while you can use Roundcubes logfiles to troubleshoot but don’t freak out about errors if things work properly.

Changing the password from Roundcube

I would like my users to be able to change their own e-mail passwords from Roundcube. A plugin can be enabled for that. In /etc/roundcube/config.inc.php find the plugin array and change it to:

// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
'archive',
'zipdownload',
'password',
);

Save the file and now if you go to the Settings section in Roundcube’s web interface you’ll find that a Password button has appeared. It doesn’t work yet though. Open up /etc/roundcube/plugins/password/config.inc.php and have it look like this:

<?php
// See /usr/share/roundcube/plugins/password/config.inc.php.dist for instructions
// Check the access right of the file if you put sensitive information in it.

$config['password_driver'] = 'sql';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 6;
$config['password_require_nonalpha'] = true;
$config['password_log'] = false;
$config['password_login_exceptions'] = null;
$config['password_hosts'] = array('localhost');
$config['password_force_save'] = true;

// SQL Driver options
$config['password__db_dsn'] = 'mysql://roundcube:@localhost/roundcubemail';

// SQL Update Query with encrypted password using random 8 character salt
$config['password_query'] = 'UPDATE postfix.addresses SET pwd=ENCRYPT(%p, CONCAT(\'$6$\',SUBSTRING((SHA(RAND())), -16))) WHERE email=%u LIMIT 1';
?>

If this looks complicated that’s because it is. I had countless hours of fun with this. Luckily I had Dovecot’s logging turned all the way up and I was monitoring /var/log/mail.log so that eventually I got it right. What we’re doing here is SHA512 encrypting the password the user typed, adding that to “$6$” (remember that’s how Dovecot identifies SHA512 encryption) and adding salt to it. The difficult part for me was the number and the position of brackets.

Also /usr/share/roundcube/plugins/password/config.inc.php.dist contained some useful hints.

You may have noticed we’re using the roundcube MySQL user for this so that needs to have permissions to change users’ passwords:

# mysql -u root -p
mysql>GRANT SELECT (`email`), UPDATE (`pwd`) ON `postfix`.`addresses` TO 'roundcube'@'localhost';

I cheated here; I did this from phpMyAdmin. The result is the same though: user roundcube must be able to select from the email field and update the password field.

On this page