Permission list for the roundcube folder :
drwxrwxr– 11 apache apache 4096 Jun 8 14:19 enigma_pgp_homedir
drwxrwxr– 2 apache apache 4096 Jul 12 16:34 logs
Enigma plugin (PGP encryption) Roundcube
You have to set up Enigma plugin :
cp /……../roundcubemail/plugins/enigma/config.inc.php.dist /……../roundcubemail/plugins/enigma/config.inc.php
<?php
// Enigma Plugin options
// --------------------
// A driver to use for PGP. Default: "gnupg".
$config['enigma_pgp_driver'] = 'gnupg';
// A driver to use for S/MIME. Default: "phpssl".
$config['enigma_smime_driver'] = 'phpssl';
// Enables logging of enigma operations (including Crypt_GPG debug info)
$config['enigma_debug'] = true;
// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$config['enigma_pgp_homedir'] = enigma/home;
// Location of gpg binary. By default it will be auto-detected.
// This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
$config['enigma_pgp_binary'] = '/usr/bin/gpg';
// Location of gpg-agent binary. By default it will be auto-detected.
// It's used with GnuPG 2.x.
$config['enigma_pgp_agent'] = '';
// Location of gpgconf binary. By default it will be auto-detected.
// It's used with GnuPG >= 2.1.
$config['enigma_pgp_gpgconf'] = '';
// Enables signatures verification feature.
$config['enigma_signatures'] = true;
// Enables messages decryption feature.
$config['enigma_decryption'] = true;
// Enables messages encryption and signing feature.
$config['enigma_encryption'] = true;
// Enable signing all messages by default
$config['enigma_sign_all'] = false;
// Enable encrypting all messages by default
$config['enigma_encrypt_all'] = false;
// Enable attaching a public key to all messages by default
$config['enigma_attach_pubkey'] = false;
// Default for how long to store private key passwords (in minutes).
// When set to 0 passwords will be stored for the whole session.
$config['enigma_password_time'] = 0;
// With this option you can lock composing options
// of the plugin forcing the user to use configured settings.
// The array accepts: 'sign', 'encrypt', 'pubkey'.
//
// For example, to force your users to sign every email,
// you should set:
// - enigma_sign_all = true
// - enigma_options_lock = array('sign')
// - dont_override = array('enigma_sign_all')
$config['enigma_options_lock'] = array();
Installation and settings Enigma plugin
Preferences > Settings > Encryption you’ll have the possibility to enable/disable encryption-related features.
The keys are stored on the server.
Figure 1. Encryption preferences section.
Goto Settings > PGP Keys. There you can generate a new key pair or import keys.
Figure 2. Key generation form.
Figure 3. Key information frame.
Composing messages
Figure 4. Encryption options in compose.
Protect Roundcube with Google reCaptcha
reCaptcha plugin for Roundcube is a good way to protect your server against brute-force attacks on a webmail.
We will install it from the plugin’s repository https://github.com/dsoares/rcguard.git. The addon was tested at the moment of the writing of this guide with RoundCube version 1.3.3.
First make sure you’ve got git installed on your server. If it’s missing you can install it either from your OS repository with a package manager or from sources.
So we start
Installation of the plugin into RoundCube on a Directadmin server starts with the following commands:
cd /var/www/html/roundcube/plugins/ GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard chown -R webapps:webapps rcguard/ cd rcguard mv config.inc.php.dist config.inc.php
Example of an output from git command:
# GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard Cloning into 'rcguard'... remote: Counting objects: 470, done. remote: Total 470 (delta 0), reused 0 (delta 0), pack-reused 470 Receiving objects: 100% (470/470), 82.68 KiB, done. Resolving deltas: 100% (240/240), done.
If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.
Add your reCaptcha keys
Go to https://www.google.com/recaptcha/admin and get your keys.
It’s important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users’ domains, or use one domain (or hostname) for all users and register one domain at Google.
As soon as you get your keys you should add them into configuration file of the addon.
Open the config file of the plugin in an editor:
vi config.inc.php
and update the following lines with your real public and private keys from Google:
// Public key for reCAPTCHA $config['recaptcha_publickey'] = ''; // Private key for reCAPTCHA $config['recaptcha_privatekey'] = '';
So it would look like the following:
// Public key for reCAPTCHA $rcmail_config['recaptcha_publickey'] = '6LdNmhYTAAAAAOXR**********OcI6MPpePq2eRn'; // Private key for reCAPTCHA $rcmail_config['recaptcha_privatekey'] = '6LdNmhYTAAAAAB**********vJxvSjDR9VUiDDq-';
For security reasons some symbols are masked here, in your case there should not be asterisks.
You can change other settings of the plugin per your needs. For example this one:
// Number of failed logins before reCAPTCHA is shown $rcmail_config['failed_attempts'] = 5;
can be changed to
// Number of failed logins before reCAPTCHA is shown $rcmail_config['failed_attempts'] = 1;
if you want reCaptcha to be shown after the first failed login (the default is 5).
Create MySQL table for the plugin
Connect to mysql either in a shell with the following command:
mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf da_roundcube
Or use phpMyAdmin interface and choose DB with name da_roundcube.
Then run the following query:
CREATE TABLE `rcguard` ( `ip` VARCHAR(40) NOT NULL, `first` DATETIME NOT NULL, `last` DATETIME NOT NULL, `hits` INT(10) NOT NULL, PRIMARY KEY (`ip`), INDEX `last_index` (`last`), INDEX `hits_index` (`hits`) ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci; quit;
Here is an example of a desirable output: “Query OK, 0 rows affected (0.03 sec)”, and in full it will look as the following:
MariaDB [da_roundcube]> CREATE TABLE `rcguard` (
-> `ip` VARCHAR(40) NOT NULL,
-> `first` DATETIME NOT NULL,
-> `last` DATETIME NOT NULL,
-> `hits` INT(10) NOT NULL,
-> PRIMARY KEY (`ip`),
-> INDEX `last_index` (`last`),
-> INDEX `hits_index` (`hits`)
-> ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 0 rows affected (0.03 sec)
MariaDB [da_roundcube]>
MariaDB [da_roundcube]> quit;
Bye
Updating Roundcube config
Now we need to modify RoundCube main configuration in order to let it work with the addon/plugin.
Register the plugin by modifying config.inc.php:
cd /var/www/html/roundcube/config/ vi ./config.inc.php
Find the line
$config['plugins'] = array(
and change it to:
$config['plugins'] = array(
'rcguard',
Don’t forget to add a comma in the end of the line.
Protect your customization for future updates
For this you need to copy the plugin and updated config into a special folder of custombuild:
mkdir -p /usr/local/directadmin/custombuild/custom/roundcube/plugins/ cd /usr/local/directadmin/custombuild/custom/roundcube/ cp -r /var/www/html/roundcube/plugins/rcguard ./plugins/ cp -p /var/www/html/roundcube/config/config.inc.php .
Every time when you update a version of RoundCube with Directadmin you will still have the plugin enabled.
That’s it. Tags: directadminE-mailRoundcubepluginsSecurityreCaptcha
ISPConfig 3 + RoundCube Mail 1.0 + Password Management
Most of the articles on the web are referring to older versions. Below are the steps to get it working.
Assumptions: This works on a Ubuntu Server 12.04 LTS updated with the latest patches, setup by following “Perfect Server” tutorial, then installed with RoundCube 1.0 as the Webmail. (SqurrielMail installation was skipped).
1. Enable the password plugin of RoundCube – The 1.0 version comes with the plugin in the package, but not activated.
Under config/config.inc.php
// ———————————-
// PLUGINS
// ———————————-
// List of active plugins (in plugins/ directory)
$config[‘plugins’] = array(‘password’);
This tells you will activate the ‘password’ plugin which sits inside the plugins/ directory.
2. Then edit the plugins/password/config.inc.php
$config[‘password_db_dsn’] = ‘mysql://ispconfig:password@localhost/dbispconfig’;
“password” is stored in /usr/local/ispconfig/interface/lib/config.inc.php.
3. Edit $config[‘password_query’] in plugins/password/config.inc.php
$config[‘password_query’] = ‘UPDATE mail_user SET password=%c WHERE email=%u LIMIT 1’;
or
$config[‘password_query‘] = ‘UPDATE mail_user SET password=%c WHERE email=%u and password=%o LIMIT 1‘;
