This article is part of the emails series. It is assumed that you already covered Dovecot and Exim.

You will also need the following software:



$ sudo apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra apache2-

Warning Warning: the apache2- at the end of the list is preventing the automatic installation of Apache. If you have already Apache installed, you need to remove that from the list as it would uninstall it otherwise.

The installer will ask you the following questions:

Configure database for roundcube with dbconfig-common?
Database type to be used by roundcube
Password of the database's administrative user
Provide your MariaDB root password
MySQL application password for roundcube
Keep blank


Edit file /etc/php/7.0/mods-available/local-common.ini and add /var/lib/roundcube/:/usr/share/roundcube/:/etc/roundcube/:/var/log/roundcube/ to the open_basedir setting.

Reload PHP:

$ sudo systemctl reload php7.0-fpm.service

Web Server

  1. Create the config file /etc/nginx/sites-available/
    server {
        include snippets/listen-http.conf;
        access_log /var/log/nginx/;
        error_log /var/log/nginx/;
        include snippets/https-permanent-redirect.conf;
    server {
        include snippets/listen-https.conf;
        access_log /var/log/nginx/;
        error_log /var/log/nginx/;
        include snippets/acme-challenge.conf;
        #include snippets/ssl.conf;
        #ssl_certificate      /etc/letsencrypt/live/;
        #ssl_certificate_key  /etc/letsencrypt/live/;
        #include snippets/hsts.conf;
        client_max_body_size 10G; # set max upload size
        root /var/lib/roundcube/;
        location ~ ^/(config|temp|logs)/ {
            deny all;
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        index index.php;
        location ~ \.php$ {
            try_files $uri =404;
            include fastcgi.conf;
            fastcgi_index index.php;
            fastcgi_pass php;
  2. Activate the configuration with
    $ sudo nginx_modsite -e
    Would you like to reload the Nginx configuration now? (Y/n) Y
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
        "domains": [""],
        "reload": [["/bin/systemctl", "reload", "nginx.service"]]
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
    Renewing certificate for that will expire on 0001-01-01
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1):
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for
    Using the webroot path /var/www/acme-challenge for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/ Your cert
       will expire on 2019-03-11. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot again. To
       non-interactively renew *all* of your certificates, run "certbot
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:
       Donating to EFF:          
    Restarting services:
    systemctl reload nginx.service
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/ and run
    $ sudo systemctl reload nginx.service


Mail server

Edit file /etc/roundcube/ and modify line

$config['default_host'] = 'localhost';


This plugin allows to get contacts from an external source that support the Carddav protocol.

Update notification

This plugin is not packaged in Debian. We will download it from the original website. As for any manually installed software, you need to keep up-to-date with new releases.

You can follow new releases of the plugin using feed


Download latest release from At the time of writing, it is 2.0.4.

$ cd /var/lib/roundcube/plugins
$ curl -Ls | sudo tar xj
$ sudo chmod g-w,o= -R carddav
$ sudo chown root:www-data -R carddav

Now edit /etc/roundcube/

// Add carddav to the list of plugins
$config['plugins'] = array(

// Disable default address book as we have carddav
$config['address_book_type'] = '';

Finally, in roundcube, you can go to Settings ⇒ Preferences ⇒ CardDAV and add your server.

Context Menu

Use context menu for various actions.

Enable plugin in /etc/roundcube/

// Add contextmenu to the list of plugins
$config['plugins'] = array(

Subscriptions option

By default, Roundcube only shows folder that you subscribed to. This plugin allows to show all folders.

Enable plugin in /etc/roundcube/

// Add subscriptions_option to the list of plugins
$config['plugins'] = array(

// Do not use IMAP subscriptions. Show all folders
$config['use_subscriptions'] = false;

Zip Download

This plugin allows to download all attachments of an email as one zip archive.

Enable the plugin in /etc/roundcube/

// Add zipdownload to the list of plugins
$config['plugins'] = array(


Create file /etc/fail2ban/jail.d/roundcube-auth.conf

enabled = true
logpath = %(roundcube_errors_log)s

And activate the new jail

$ sudo fail2ban-client reload roundcube-auth
ERROR  NOK: ('roundcube-auth',)