Technology Lab / Information Technology

Taking e-mail back, part 4: The finale, with webmail & everything after

Setting up and securing Roundcube and going forward into a self-hosted future.

Creating our database

We fortunately don't need to do much configuration for MariaDB, since it's relatively secure out of the box (and we're not exposing it to the Internet, either, which takes care of a whole lot of potential problems).

There are web applications you can set up to help admin MySQL/MariaDB; in our database setup guide, I suggested using a small app named SQL Buddy, which you're welcome to install if you'd like. However, if you're going to do that, I very much recommend setting it up on a totally separate Nginx vhost from your Roundcube instance. And if that doesn't make sense, then best to not go down that road.

Fortunately, creating a user and a database with the MySQL/MariaDB command line tools is easy. First, start the command line SQL interface and connect as the root user:

mysql -u root -p

After authenticating with the root password you created earlier when you installed MariaDB, you'll find yourself at a SQL prompt. To create a database and then create a SQL user with privileges on that database, enter the following commands (and make sure to terminate each line with a semicolon, because otherwise the commands won't execute):

create database roundcubedb;
grant all on roundcubedb.* to 'roundcubedb'@'localhost' identified by 'enter-a-password-here';

And that's it—we've got a Web server, a PHP interpreter, and a database server with a fresh user and database to use. The only thing we're missing is the actual webmail application!

Actually installing Roundcube

Time to go get Roundcube. We want to pull down the latest version, which at this point is the just-released 1.0.0, so head to the Roundcube download page and download the latest version. If you want to do it from the command line on your mail server, you can use wget, like this:

wget -O /usr/share/nginx/roundcubemail-1.0.0.tar.gz
tar zxfv roundcubemail-1.0.0.tar.gz

Then, get rid of your existing roundcube directory and rename the newly created roundcubemail-1.0.0 directory to roundcube and make sure the directory is owned by the Nginx service account:

rm -rf /usr/share/nginx/roundcube
mv /usr/share/nginx/roundcubemail-1.0.0 /usr/share/nginx/roundcube
chown -R www-data:www-data /usr/share/nginx/roundcube

Then, point your web browser at This will kick off the Roundcube web-based installer.

Enlarge / Configuring our database during Roundcube's setup process.

The first screen will check and make sure all of Roundcube's prerequisites are met; everything should look good (except for non-installed database types and potentially one error at the bottom with the optional date and time configuration). Click next to continue.

On the second page, walk down the options and fill in the items you'd like to fill in. The product_name field should be changed from "Roundcube Webmail" to something more descriptive, at least. You should also check the ip_check box, which will help with Roundcube's session security. It's also advisable for you to change identities_level to "many identities with possibility to edit all params but not email address," since we want our users to be able to change options from within Roundcube—but not to change their e-mail addresses, since those are set by Postfix.

You'll definitely need to change the "Database setup" options. "Database server" can be left at "localhost," and then you'll need to enter the Roundcube SQL database name and database user in the next two fields, along with the user's password. You can leave db_prefix blank.

Clicking "create config" at the bottom will produce a text box containing a preformatted bunch of PHP code—this should be cut and pasted exactly as-is into a new file named, located in /usr/share/nginx/roundcube/config/.

The next page should show the results of some more checks and will also give you the ability to initialize the Roundcube database by clicking a button. Make sure to do so.

Finally, at the bottom, you'll be able to verify your Roundcube install's ability to send mail, as well as its ability to log in with IMAP credentials you supply. For sending, use one of your virtual users for a source and something like a Gmail account for the recipient—we want to make sure Roundcube-initiated e-mails can actually be properly sent.

We've left the default IMAP port of 143 alone; ordinarily we'd want to make sure that we're only using secure IMAP, but with Roundcube and Dovecot both on the same server, it doesn't matter, as the credentials don't actually traverse anything. Punch in a virtual user's account and password and see if they work. You should get an "IMAP connect: OK" message if so.

The last thing to do for Roundcube setup is to get rid of the installer directory on the server, as the instructions say to do in the big red box at the bottom. Remove it like this:

rm -rf /usr/share/nginx/roundcube/installer

The last thing to do, after deleting the installer directory, is to actually log on to your webmail. Use your full e-mail address and password, and you should be rewarded with an inbox, like this:

Enlarge / It works!

Adding Google Authenticator support to Roundcube

Usernames and passwords are good, but two-factor authentication is much better. Fortunately, there's a plug-in that adds Google Authenticator-based TOTP functionality to Roundcube, and it's quite easy to set up.

First, navigate to Roundcube's plugin directory and clone the plug-in from Github (you may have to run aptitude install git if you don't have Git already installed). Make sure you change the cloned directory's owner to www-data when done:

cd /usr/share/nginx/roundcube/plugins
git clone
chown -R www-data:www-data /usr/share/nginx/roundcube/plugins

Next, activate the plug-in by editing Roundcube's config file at /usr/share/nginx/roundcube/config/ Find the plugin line at the bottom of the config file and modify it by putting the plugin's directory name inside the parameter's array. While we're in there, it's a good idea to activate several of the other plugins that come with Roundcube. When you're done, the line should look like this:

$config['plugins'] = array('managesieve', 'attachment_reminder', 'markasjunk', 'newmail_notifier', 'twofactor_gauthenticator');

Give PHP a restart with service php5-fpm restart and refresh your web browser, then click the "Settings" button in the Roundcube interface. Click "2steps Google verification" on the left pane, and then in the right pane you'll see the configuration options for the plugin.

Enlarge / Adding two-factor authentication to your webmail account—works with any TOTP-compatible authentication application (like Google Authenticator).

Generate a secret and one or more single-use recovery codes (for if you ever lose your phone and can't generate TOTP codes), then save and click "Show QR code." You can scan the QR code with your Google Authenticator-equipped smartphone, just like any other Google Authenticator setup, and after that your phone's Google Authenticator app will show one-time codes for your Roundcube install. You'll have to click the "Activate" checkbox to make it apply to your account.


From that point on, you'll need to supply a Google Authenticator-generated TOTP code to log onto your webmail, which will add a bit more security onto things.

But what if we wanted to go a little deeper?

Expand full story

You must to comment.