Roundcube

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Jul 29, 2021.

Tags:
  1. Hello,

    One of my users asked me for roundcube on my new server, which, for those who have read my previous postings, is soon to be finished. I have enabled sensible encryption standards for Email receiving and sending and working DKIM and SPF. Now I would like to use Roundcube. I have followed the perfect server guide, but only get an ERR_SSL_PROTOCOL_ERROR when I try to open one of the three possible URLs specified in the Perfect Server Guide with my default browser Chrome.
    When I open it with a browser with doesnt force ssl on me I get a "Forbidden" The fact that I get a SSL error doesn't surprise me, after all there is no ssl and ssl key and cert in /etc/apache2/conf-enabled/roundcube. I do not entirely understand why roundcube was implemented as a "conf" instead of a vhost like the ISPConfig Application. Can I simply move the conf to sites-available and add listening and ssl lines or will this break something else?

    Yours
    Stefan

    EDIT: Please consider that I will most likely want to do this when roundcube is running:
    https://www.howtoforge.com/install-ispconfig-3-roundcube-plugins-on-debian-10/
     
    Last edited: Jul 29, 2021
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is correct, as the ssl certificates are configured per website, not in global config.
    Because it is global configuration, not a vhost definition.
    You could remove the roundcube global configuration and put those directives inside a virtual host definition if you only want it available in that one virtual host.
    What is the (working) URL for your ISPConfig panel? Add "/roundcube" to that and it should work (pending config issues), with https.
     
    Stefan Schumacher likes this.
  3. Hello Jesse,
    I have generated a SSL-Certificate with certbot and added it manually to the ispconfig vhost. I can open the ISPConfig Admin Panel on Port 8080 with SSL.
    I also use the certificate for Postfix and Dovecot (both working)

    https://mail2.consulting1x1.info:8080/roundcube = 403 forbidden.
    I also get this error when I try to open with from the server console with w3m
    w3m http://mail2.consulting1x1.info/roundcube = Forbidden

    https://mail2.consulting1x1.info/roundcube = This Website cant establish a secure connection: ERR_SSL_PROTOCOL_ERROR

    I have this these lines in roundcube.conf:
    Alias /roundcube /var/lib/roundcube
    Alias /webmail /var/lib/roundcube

    Everything else is as it was. My roundcube server Version is 1.4.11+dfsg.1-4.
    /var/lib/roundcube has 755 root:root.
    Do you have any idea what I should try next?

    Yours
    Stefan
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This would be a config issue, not a problem with your ssl certificate/setup, so at least on this port/vhost you are making progress.
    The /roundcube path won't work on individual websites out of the box, you would need to configure that. For security reasons you should not configure direct access to roundcube, but rather set /roundcube up as a reverse proxy to the above port 8080 url once that is working.
    Follow the letsencrypt faq (pinned post in the forums here) to troubleshoot why https isn't working on your vhost. I guess I'm assuming this is a vhost, which you didn't state - did you create a website for this in ISPConfig, or is that the server's hostname, and hence you are using the server's default ssl vhost here?
     
  5. This would be a config issue, not a problem with your ssl certificate/setup, so at >least on this port/vhost you are making progress.

    Well, at the moment the directory belongs to root. Should it belong to root or to www-data or possibly roundcube etc.?

    Follow the letsencrypt faq (pinned post in the forums here) to troubleshoot why https isn't working on your vhost. I guess I'm assuming this is a vhost, which you didn't state - did you create a website for this in ISPConfig, or is that the server's hostname, and hence you are using the server's default ssl vhost here?

    I did not create a new website for roundcube because I wanted to wait for your reply.
    What is the (working) URL for your ISPConfig panel? Add "/roundcube" to that and >it should work (pending config issues), with https.
    mail2.consulting1x1.info:8080 is the path to the Admin Interface. SSL works without a problem, I did not create a new vhost but simply added the certificates generated by certbot to /etc/apache2/sites-enabled/000-ispconfig.vhost. But when I open it with the URL https://mail2.consulting1x1.info:8080/roundcube I get a forbidden - not an SSL-Error.

    I will have a look at the FAQ and see if it can help

    Yours sincerely
    Stefan
     
    Last edited: Aug 4, 2021
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Your host as given in the RUL in #5 has certificate for wrong hostname. The actual server hostname is not included in the certificate. Check in browser the certificate by clicking the left side of address field.
     
  7. I think running ispconfig's update.php resetted my ssl-configuration. But that is not the problem, I simply had to rewrite three lines. Now the servers configuration panel has the right ssl certificate again.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Better make your changes update-safe so you don't have to redo them on the next update. What exactly did you change in which file?
     
    Stefan Schumacher likes this.
  9. Hi Till,
    I changed
    /etc/apache2/sites-enabled/000-ispconfig.vhost around line 65. I added the files I generated with certbot. Since we are talking about keeping modified files after a forced update: I also did some major changes in /etc/postfix/main.cf. How can I keep them?

    Yours
    Stefan
     
  10. Hello Guys

    If you dont mind I would like to go back a few posts and concentrate on roundcube.
    What I want is to open mail2.consulting1x1.info/roundcube and be immediately redirected to the TLS-Version of that Site - no mail reading without TLS! I have reset the configuration to the pre-me-tinkering-around-version with exception of two lines:
    Alias /roundcube /var/lib/roundcube
    Alias /webmail /var/lib/roundcube
    I also deleted my chrome cache:

    http://mail2.consulting1x1.info:8080/roundcube
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.

    https://mail2.consulting1x1.info:8080/login/ has valid TLS Certificate!

    https://mail2.consulting1x1.info:8080/roundcube - with valid TLS Certificate
    Forbidden
    You don't have permission to access this resource.

    I am tempted to guess that this is a simple permissions issue - I just dont know which directory and subdirectories to adjust.

    These are the permissions under /var/lib/roundcube/
    lrwxrwxrwx 1 root root 14 17. Mai 20:45 config -> /etc/roundcube
    lrwxrwxrwx 1 root root 23 17. Mai 20:45 .htaccess -> /etc/roundcube/htaccess
    lrwxrwxrwx 1 root root 30 17. Mai 20:45 index.php -> /usr/share/roundcube/index.php
    lrwxrwxrwx 1 root root 19 17. Mai 20:45 logs -> ../../log/roundcube
    drwxr-xr-x 2 root root 4096 22. Jul 13:13 plugins
    lrwxrwxrwx 1 root root 28 17. Mai 20:45 program -> /usr/share/roundcube/program
    drwxr-xr-x 3 root root 4096 22. Jul 13:13 public_html
    drwxr-xr-x 2 root root 4096 22. Jul 13:13 skins
    drwxr-x--- 2 www-data www-data 4096 17. Mai 20:45 temp

    And these are the one under /usr/share/roundcube
    drwxr-xr-x 7 root root 4096 22. Jul 13:13 .
    drwxr-xr-x 159 root root 4096 2. Aug 16:19 ..
    drwxr-xr-x 2 root root 4096 22. Jul 13:13 bin
    -rw-r--r-- 1 root root 919 17. Mai 20:45 composer.json
    -rw-r--r-- 1 root root 3795 17. Mai 20:45 config.inc.php.sample
    -rw-r--r-- 1 root root 12843 8. Feb 2021 index.php
    drwxr-xr-x 35 root root 4096 22. Jul 13:13 plugins
    drwxr-xr-x 8 root root 4096 22. Jul 13:13 program
    drwxr-xr-x 5 root root 4096 22. Jul 13:13 skins
    drwxr-xr-x 7 root root 4096 22. Jul 13:13 SQL


    https://mail2.consulting1x1.info/roundcube says it has no TLS-Certificate - no wonder, the conf-file has none Certificate in it.

    How can I achieve my goal (Roundcube with TLS only, ideally under the easier URL mail2.consulting1x1.info/roundcube) without having to manually configure a vhost
    which might get overwritten after the next reconfiguration?

    Yours faithfully and a sincere thank you for all the support I get here.

    Stefan
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    What you might do is this:

    1) Create a new website like webmail.consulting1x1.info on your server and a new MySQL database user and database in ISPConfig. Enable SSL with Let's encrypt for it.
    2) Download latest RoundCube from roundcube website and install it into this website.
    3) Set the webmail URL to https://webmail.consulting1x1.info under System > Interface > main config in ISPConfig.

    Benefits:

    - Your webmail is independent of other websites and accessible only under this one URL.
    - You get the latest Roundcube version (the packages of the OS are likely a bit dated).
    - You have no conflicts with ISPConfig updates or SSL cert updates of the servers main SSL cert.

    Nontheless, here the instructions to get your current setup update-safe: ISPConfig has folders /usr/local/ispconfig/server/conf-custom/ and /usr/local/ispconfig/server/conf-custom/install/. Copy the templates of the config files you altered from /usr/local/ispconfig/server/conf/ to /usr/local/ispconfig/server/conf-custom/install/ and alter them according to your needs and copy the templates of the installer files you changed from install/tpl/ of the ISPConfig tar.gz to /usr/local/ispconfig/server/conf-custom/install/ and alter them there. Drawback of custom configs is of course that you don't get updated configs automatically anymore, so you have to compare templates then to see if your customized config needs an update to work with a new ISPConfig version.
     
  12. I am going to split off the "keep custom configurations safe" - and make a separate posting out of it. It will make the thread more accessible and after all we are talking about two different topics.
     

Share This Page