Creating our database
We fortunately don't need to do much configuration for MariaDB, since it's relatively secure out of the box (and we're not exposing it to the Internet, either, which takes care of a whole lot of potential problems).
There are web applications you can set up to help admin MySQL/MariaDB; in our database setup guide, I suggested using a small app named SQL Buddy, which you're welcome to install if you'd like. However, if you're going to do that, I very much recommend setting it up on a totally separate Nginx vhost from your Roundcube instance. And if that doesn't make sense, then best to not go down that road.
Fortunately, creating a user and a database with the MySQL/MariaDB command line tools is easy. First, start the command line SQL interface and connect as the root user:
After authenticating with the root password you created earlier when you installed MariaDB, you'll find yourself at a SQL prompt. To create a database and then create a SQL user with privileges on that database, enter the following commands (and make sure to terminate each line with a semicolon, because otherwise the commands won't execute):
And that's it—we've got a Web server, a PHP interpreter, and a database server with a fresh user and database to use. The only thing we're missing is the actual webmail application!
Actually installing Roundcube
Time to go get Roundcube. We want to pull down the latest version,
which at this point is the just-released 1.0.0, so head to the Roundcube download page and download the latest version. If you want to do it from the command line on your mail server, you can use
wget, like this:
Then, get rid of your existing
roundcube directory and rename the newly created
roundcubemail-1.0.0 directory to
roundcube and make sure the directory is owned by the Nginx service account:
Then, point your web browser at
https://mail.yourdomain.com/installer. This will kick off the Roundcube web-based installer.
The first screen will check and make sure all of Roundcube's prerequisites are met; everything should look good (except for non-installed database types and potentially one error at the bottom with the optional date and time configuration). Click next to continue.
On the second page, walk down the options and fill in the items you'd like to fill in. The
product_name field should be changed from "Roundcube Webmail" to something more descriptive, at least. You should also check the
ip_check box, which will help with Roundcube's session security. It's also advisable for you to change
to "many identities with possibility to edit all params but not email
address," since we want our users to be able to change options from
within Roundcube—but not to change their e-mail addresses, since those
are set by Postfix.
You'll definitely need to change the "Database setup" options.
"Database server" can be left at "localhost," and then you'll need to
enter the Roundcube SQL database name and database user in the next two
fields, along with the user's password. You can leave
Clicking "create config" at the bottom will produce a text box
containing a preformatted bunch of PHP code—this should be cut and
pasted exactly as-is into a new file named
config.inc.php, located in
The next page should show the results of some more checks and will also give you the ability to initialize the Roundcube database by clicking a button. Make sure to do so.
Finally, at the bottom, you'll be able to verify your Roundcube install's ability to send mail, as well as its ability to log in with IMAP credentials you supply. For sending, use one of your virtual users for a source and something like a Gmail account for the recipient—we want to make sure Roundcube-initiated e-mails can actually be properly sent.
We've left the default IMAP port of 143 alone; ordinarily we'd want to make sure that we're only using secure IMAP, but with Roundcube and Dovecot both on the same server, it doesn't matter, as the credentials don't actually traverse anything. Punch in a virtual user's account and password and see if they work. You should get an "IMAP connect: OK" message if so.
The last thing to do for Roundcube setup is to get rid of the
installer directory on the server, as the instructions say to do in the big red box at the bottom. Remove it like this:
The last thing to do, after deleting the
directory, is to actually log on to your webmail. Use your full e-mail
address and password, and you should be rewarded with an inbox, like
Adding Google Authenticator support to Roundcube
Usernames and passwords are good, but two-factor authentication is much better. Fortunately, there's a plug-in that adds Google Authenticator-based TOTP functionality to Roundcube, and it's quite easy to set up.
First, navigate to Roundcube's plugin directory and clone the plug-in from Github (you may have to run
aptitude install git if you don't have Git already installed). Make sure you change the cloned directory's owner to
www-data when done:
Next, activate the plug-in by editing Roundcube's config file at
Find the plugin line at the bottom of the config file and modify it by
putting the plugin's directory name inside the parameter's array. While
we're in there, it's a good idea to activate several of the other
plugins that come with Roundcube. When you're done, the line should look
Give PHP a restart with
service php5-fpm restart and
refresh your web browser, then click the "Settings" button in the
Roundcube interface. Click "2steps Google verification" on the left
pane, and then in the right pane you'll see the configuration options
for the plugin.
Generate a secret and one or more single-use recovery codes (for if you ever lose your phone and can't generate TOTP codes), then save and click "Show QR code." You can scan the QR code with your Google Authenticator-equipped smartphone, just like any other Google Authenticator setup, and after that your phone's Google Authenticator app will show one-time codes for your Roundcube install. You'll have to click the "Activate" checkbox to make it apply to your account.
From that point on, you'll need to supply a Google Authenticator-generated TOTP code to log onto your webmail, which will add a bit more security onto things.
But what if we wanted to go a little deeper?