3. ROUNDCUBE

Following the above instructions you can install roundcube via apt-get. However following another logic (if you have the time and the courage) you can install roundcube in it's own subdomain, manually.

In "Perfect Server ...." you usually install Squirrelmai. However if you don't want it you can remove it:

apt-get remove squirrelmail

and delete the /etc/apache2/conf.d/squirrelmail.conf:

rm /etc/apache2/conf.d/squirrelmail.conf

OR if you want it edit the /etc/apache2/conf.d/squirrelmail.conf and change the alias to something like 'webmail1'.

Install roundcube. (You MUST have the mysql administrator's password before you proceed -- Let dbconfig-common configure the database. You will be asked some questions about the password of the db administrator and the password of the new user that will be created for roundcube. Answer those questions and continue:

apt-get install roundcube roundcube-mysql

Examle answers:
"Configure database for roundcube with dbconfig-common?" .... Answer Yes
"Database type to be used by roundcube: ...Answer mysql
"Password of the database's administrative user:" ... Answer your-admin-DB-password
"MySQL application password for roundcube:" ... Answer the-password-you-want-to-give-to-the-roundcube-user
"Password confirmation:"... Answer the-password-you-want-to-give-to-the-roundcube-user

If something goes wrong you can always run:

dpkg-reconfigure roundcube-core

For more information, please see this post.

For everyone to be able to access his webmail (under his domain name) you have to create or edit the file /etc/apache2/conf.d/roundcube so as to set the alias to 'webmail'. If you want SSL you should include the last two directives (IfModule mod_rewrite.c) to have apache ALWAYS redirect to your SSL installation of ISPConfig.

nano /etc/apache2/conf.d/roundcube

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
#    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
    Alias /roundcube /var/lib/roundcube
    Alias /webmail /var/lib/roundcube

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
      Options Indexes MultiViews FollowSymLinks
      AllowOverride None
      Order allow,deny
      allow from all
</Directory>

<Directory /var/lib/roundcube/>
  Options +FollowSymLinks
  # This is needed to parse /var/lib/roundcube/.htaccess. See its
  # content before setting AllowOverride to None.
  AllowOverride All
  order allow,deny
  allow from all
</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
        Options -FollowSymLinks
        AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /roundcube>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>


# For ISPConfig 3.0.5.1 and above, also, add the following

<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .:/usr/share/php:/usr/share/pear
php_admin_value upload_tmp_dir /var/lib/roundcube/temp
php_admin_value open_basedir /usr/share/php:/usr/lib/roundcube:/etc/roundcube:/usr/share/roundcube:/var/lib/roundcube:/var/log/roundcube
php_flag register_globals off
</IfModule> 

Edit /var/lib/roundcube/config/main.inc.php:

nano /var/lib/roundcube/config/main.inc.php

and SET some variables in the file (if this is the first time you edit the file the lines are 60 and 66):

auto_create_user = TRUE;
$rcmail_config['default_host'] = 'localhost';

If you will install the following plugin (the logger that helps fail2ban) you have to extend the list of plugins in the same file. If the only plugin is the one that will be istalled right afterward you have to edit the line (42) as below:

$rcmail_config['plugins'] = array('fail2ban'); 

Install the roundcube logger plugin from http://mattrude.com/projects/roundcube-fail2ban-plugin/.

Basically you have to download the file (fail2ban.php) and paste it in the fail2ban folder in the plugins folder of roundcube. Finally you must have this file:  /usr/share/roundcube/plugins/fail2ban/fail2ban.php. Execute:

cd /usr/share/roundcube/plugins/
wget --no-check-certificate http://github.com/downloads/mattrude/rc-plugin-fail2ban/roundcube-fail2ban-plugin.1.0.tgz
tar -xvzf roundcube-fail2ban-plugin.1.0.tgz
touch /var/log/roundcube/userlogins
chown www-data:www-data /var/log/roundcube/userlogins

This plugin will update the log file with each failed login attempt: /var/log/roundcube/userlogins

Don't forget to edit the link for the webmail in ISPConfig (System -> Interface Config -> (tab) Mail) and set it to /webmail. Lastly, restart apache.

/etc/init.d/apache2 restart

You can now access webmail at http://www.example.com/webmail

4. FAIL2BAN

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

[roundcube]
enabled  = true
port     = http,50443
filter   = roundcube
logpath  = /var/log/roundcube/userlogins
maxretry = 5

[webmin-auth]
enabled = true
port    = 50000
filter  = webmin-auth
logpath  = /var/log/auth.log
maxretry = 3 

[ssh]
enabled = true
port    = 50022
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

The 50443 port in roundcube is only needed if you enabled the redirection to https (look in the beggining of this tutorial).
The 50000 port in webmin-auth is the changed port (look in the beggining of this tutorial).
The 50022 port in ssh is the changed port (look in the following sections of this tutorial).

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

[Definition]
failregex = FAILED login for .*. from <host>
ignoreregex =

Lucky us the webmin-auth and the ssh filters are already done for us by the fail2ban itself. Restart fail2ban:

/etc/init.d/fail2ban restart

If someone adds a lot of jails in fail2ban, then some of them may not start (errors in /var/log/fail2ban.log but not in the output !!!). See it by yourself by executing:

iptables -L -n

Unfortunately the solution is a bit of a hack... but at least it is a solution:

In the file /usr/bin/fail2ban-client at line 145 you have to insert time.sleep(0.1) or time.sleep(0.05):

nano /usr/bin/fail2ban-client

So before the change the file looks like this:

[...]
 def __processCmd(self, cmd, showRet = True):
                beautifier = Beautifier()
                for c in cmd:
                        beautifier.setInputCmd(c)
                        try:
[...]

And afterward the file looks like this:

[...]
 def __processCmd(self, cmd, showRet = True):
                beautifier = Beautifier()
                for c in cmd:
                        time.sleep(0.05)
                        beautifier.setInputCmd(c)
                        try:
[...]

Restart again fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n