#!/bin/bash # Webmail with Roundcube # ---------------------- source setup/functions.sh # load our functions source /etc/mailinabox.conf # load global vars # ### Installing Roundcube # We install Roundcube from sources, rather than from Ubuntu, because: # # 1. Ubuntu's `roundcube-core` package has dependencies on Apache & MySQL, which we don't want. # # 2. The Roundcube shipped with Ubuntu is consistently out of date. # # 3. It's packaged incorrectly --- it seems to be missing a directory of files. # # So we'll use apt-get to manually install the dependencies of roundcube that we know we need, # and then we'll manually install roundcube from source. # These dependencies are from `apt-cache showpkg roundcube-core`. echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \ php-gd php-pspell libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring php-gnupg # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. # For the latest versions, see: # https://github.com/roundcube/roundcubemail/releases # https://github.com/mfreiholz/persistent_login/commits/master # https://github.com/stremlau/html5_notifier/commits/master # https://github.com/mstilkerich/rcmcarddav/releases # The easiest way to get the package hashes is to run this script and get the hash from # the error message. VERSION=1.6.0 HASH=fd84b4fac74419bb73e7a3bcae1978d5589c52de PERSISTENT_LOGIN_VERSION=version-5.3.0 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+ CARDDAV_VERSION=4.4.4 CARDDAV_HASH=743fd6925b775f821aa8860982d2bdeec05f5d7b UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION # paths that are often reused. RCM_DIR=/usr/local/lib/roundcubemail RCM_PLUGIN_DIR=${RCM_DIR}/plugins RCM_CONFIG=${RCM_DIR}/config/config.inc.php needs_update=0 #NODOC if [ ! -f /usr/local/lib/roundcubemail/version ]; then # not installed yet #NODOC needs_update=1 #NODOC elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then # checks if the version is what we want needs_update=1 #NODOC fi if [ $needs_update == 1 ]; then # if upgrading from 1.3.x, clear the temp_dir if [ -f /usr/local/lib/roundcubemail/version ]; then if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete fi fi # install roundcube wget_verify \ https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \ $HASH \ /tmp/roundcube.tgz tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz rm -rf /usr/local/lib/roundcubemail mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR rm -f /tmp/roundcube.tgz # install roundcube persistent_login plugin git_clone https://github.com/mfreiholz/persistent_login.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login # install roundcube html5_notifier plugin git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier # download and verify the full release of the carddav plugin wget_verify \ https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \ $CARDDAV_HASH \ /tmp/carddav.tar.gz # unzip and cleanup tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz rm -f /tmp/carddav.tar.gz # record the version we've installed echo $UPDATE_KEY > ${RCM_DIR}/version fi # ### Configuring Roundcube # Generate a secret key of PHP-string-safe characters appropriate # for the cipher algorithm selected below. SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g) # Create a configuration file. # # For security, temp and log files are not stored in the default locations # which are inside the roundcube sources directory. We put them instead # in normal places. cat > $RCM_CONFIG < array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['imap_timeout'] = 15; \$config['smtp_host'] = 'tls://127.0.0.1:587'; \$config['smtp_conn_options'] = array( 'ssl'=> array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['support_url'] = 'https://power-mailinabox.net/'; \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail'; \$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav', 'enigma'); \$config['cipher_method'] = 'AES-256-CBC'; # persistent login cookie and potentially other things \$config['des_key'] = '$SECRET_KEY'; # 37 characters -> ~256 bits for AES-256, see above \$config['skin'] = 'elastic'; \$config['login_autocomplete'] = 2; \$config['login_username_filter'] = 'email'; \$config['password_charset'] = 'UTF-8'; \$config['junk_mbox'] = 'Spam'; /* ensure roudcube session id's aren't leaked to other parts of the server */ \$config['session_path'] = '/mail/'; /* prevent CSRF, requires php 7.3+ */ \$config['session_samesite'] = 'Strict'; \$config['quota_zero_as_unlimited'] = true; EOF mkdir -p ${STORAGE_ROOT}/.enigma/ chmod 700 ${STORAGE_ROOT}/.enigma/ chown www-data:www-data ${STORAGE_ROOT}/.enigma/ # Configure Enigma cat > ${RCM_PLUGIN_DIR}/enigma/config.inc.php < EOF # Configure CardDav cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php < 'ownCloud', 'username' => '%u', // login username 'password' => '%p', // login password 'url' => 'https://${PRIMARY_HOSTNAME}/cloud/remote.php/dav/addressbooks/users/%u/contacts/', 'active' => true, 'readonly' => false, 'refresh_time' => '02:00:00', 'fixed' => array('username','password'), 'preemptive_auth' => '1', 'hide' => false, ); ?> EOF # Create writable directories. mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. sudo -u www-data touch /var/log/roundcubemail/errors.log # Password changing plugin settings # The config comes empty by default, so we need the settings # we're not planning to change in config.inc.dist... cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \ ${RCM_PLUGIN_DIR}/password/config.inc.php management/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php -c "//" \ "\$config['password_driver'] = 'miab';" \ "\$config['password_minimum_length'] = 8;" \ "\$config['password_miab_url'] = 'http://127.0.0.1:10222/';" \ "\$config['password_miab_user'] = '';" \ "\$config['password_miab_pass'] = '';" # so PHP can use doveadm, for the password changing plugin usermod -a -G dovecot www-data # set permissions so that PHP can use users.sqlite # could use dovecot instead of www-data, but not sure it matters chown root.www-data $STORAGE_ROOT/mail chmod 775 $STORAGE_ROOT/mail chown root.www-data $STORAGE_ROOT/mail/users.sqlite chmod 664 $STORAGE_ROOT/mail/users.sqlite # Fix Carddav permissions: chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav # root.www-data need all permissions, others only read chmod -R 774 ${RCM_PLUGIN_DIR}/carddav # Run Roundcube database migration script (database is created if it does not exist) php ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite # Enable PHP modules. phpenmod -v php mcrypt imap restart_service php$(php_version)-fpm