Roundcube

From wiki
Revision as of 22:56, 14 June 2016 by Vincent (talk | contribs) (Add fail2ban)


Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.

Install

Roundcube

# apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra apache2-

Warning Warning: the apache2- at the end of the list is preventing the automatic installation of Apache. If you have already Apache installed, you need to remove that from the list as it would uninstall it otherwise.

Configure database for roundcube with dbconfig-common?
yes
Database type to be used by roundcube
mysql
Password of the database's administrative user
Provide your MariaDB root password
MySQL application password for roundcube
Keep blank

PHP

Edit file /etc/php/7.0/mods-available/local-common.ini and add /var/lib/roundcube/:/usr/share/roundcube/:/etc/roundcube/:/var/log/roundcube/ to the open_basedir setting.

Reload PHP:

$ sudo systemctl reload php7.0-fpm.service

Web Server

  1. Create the config file /etc/nginx/sites-available/mail.example.org
    server {
        include snippets/listen-http.conf;
        server_name mail.example.org;
    
        access_log /var/log/nginx/mail.example.org.access.log;
        error_log /var/log/nginx/mail.example.org.error.log;
    
        include snippets/https-permanent-redirect.conf;
    }
    
    server {
        include snippets/listen-https.conf;
        server_name mail.example.org;
    
        access_log /var/log/nginx/mail.example.org.access.log;
        error_log /var/log/nginx/mail.example.org.error.log;
    
        include snippets/acme-challenge.conf;
        #include snippets/ssl.conf;
        #ssl_certificate      /etc/letsencrypt/live/mail.example.org/fullchain.pem;
        #ssl_certificate_key  /etc/letsencrypt/live/mail.example.org/privkey.pem;
        #include snippets/hsts.conf;
    
        client_max_body_size 10G; # set max upload size
    
        root /var/lib/roundcube/;
    
        
        location ~ ^/(config|temp|logs)/ {
            deny all;
        }   
        
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }   
        
        index index.php;
    
        location ~ \.php$ {
            try_files $uri =404;
            include fastcgi.conf;
            fastcgi_index index.php;
            fastcgi_pass php5;
        }   
    }
    
  2. Activate the configuration with
    $ sudo nginx_modsite -e mail.example.org
    Would you like to reload the Nginx configuration now? (Y/n) Y
    
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
    {
        "domains": ["mail.example.org"],
        "reload": [["/bin/systemctl", "reload", "nginx.service"]]
    }
    
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
    Renewing certificate for mail.example.org that will expire on 0001-01-01
    
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for mail.example.org
    Using the webroot path /var/www/acme-challenge for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/mail.example.org/fullchain.pem. Your cert
       will expire on 2024-06-26. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot again. To
       non-interactively renew *all* of your certificates, run "certbot
       renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    Restarting services:
    systemctl reload nginx.service
    
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/mail.example.org and run
    $ sudo systemctl reload nginx.service
    

Configuration

Mail server

Edit file /etc/roundcube/config.inc.php and modify line

$config['default_host'] = 'localhost';

Fail2Ban

Create file /etc/fail2ban/jail.d/roundcube-auth.conf

[roundcube-auth]
enabled = true
logpath = %(roundcube_errors_log)s

And activate the new jail

# fail2ban-client reload roundcube-auth
ERROR  NOK: ('roundcube-auth',)