Through the Algorithms and Life

ISPMail on RHEL (Part Six)

Francesco Piraneo Giuliano
Roundcube running on a laptop

In the sixth part of this guide, we’re going to set up RoundCube web mail client on AlmaLinux.

This step is not required to have a fully functional email server and can be safely skipped; however I noted that if you or someone who frequently uses your email server is a frequent traveler, this feature is a valuable asset.

WiFi from hotels, airports, or similar providers often block the ports used by IMAP and SMTP protocols, or, even worse, your SMTP server is bypassed by the providers’ servers; this is very similar to a man-in-the-middle attack and difficult to detect: I discovered this situation in UK just because my email server failed the authentication.

The only solution here is to use a web-based email client like Roundcube.

Installation

Unlike Debian, with AlmaLinux, Roundcube comes with a complete version: In Debian, the openpgp.js file is missing, I suppose for incompatibility with the debian licensing. This file has to be downloaded and installed manually otherwise, the Enigma plugin won’t work.

We already set up the Apache web server in previous steps so we will assume it is up and running.

Note: Nothing prevents you from running Roundcube with other webservers, however this is out of the scope of these articles.

dnf install -y roundcubemail

This installs the full Roundcube package and all its plugins under the /usr/share/roundcubemail directory. There are no extra files and all database access configuration for Roundcube must be done manually (differently than Debian!).

Create a roundcube.conf file under /etc/httpd/conf.d/ directory to allow Apache serve Roundcube:

<VirtualHost *:80>
     ServerName webm.example.com
     Redirect permanent / https://webm.example.com/
</VirtualHost>

<VirtualHost *:443>
     ServerName webm.example.com
     DocumentRoot /usr/share/roundcubemail/public_html
     SSLEngine on
     SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

     SSLCipherSuite HIGH:!aNULL:!MD5 
     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
     SSLHonorCipherOrder On 
     Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

     ErrorLog /var/log/httpd/roundcube-error.log 
     CustomLog /var/log/httpd/roundcube-access.log combined

     <Directory /usr/share/roundcubemail/public_html>
          Options -Indexes
          AllowOverride All
          Require all granted
     </Directory>

     TraceEnable off

     AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
</VirtualHost>

<VirtualHost *:443>
     ServerName installer.example.com
     DocumentRoot /usr/share/roundcubemail/installer
     SSLEngine on
     SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

The first block redirects all unencrypted traffic to https with a permanent redirect. I suppose you won’t browse your email on a clear (unencrypted) page that anyone could sniff.

The second block sets up the webmail server; replace certificate files with your own.

The third block is temporary and must be removed once the setup is completed! It calls the Roundcube installer script that has to be run only once.

The setup is guided and straightforward: Just point there your browser and follow all the instructions.

On the installer block you can also add the following directive if you have a reverse DNS record pointing to your IP:

Require forward-dns myclient.noip.com

Obviously replace myclient.noip.com with your actual address!

The full documentation of the Require directive can be found on the official Apache documentation.

Once the configuration procedure completes, a setup file is written to config.inc.php under Roundcube client directory.

Once config.inc.php is generated, make sure to edit the following:

$config['db_dsnw'] = 'sqlite:////etc/roundcube/roundcube.db?mode=0640';
$config['default_host'] = 'tls://imap.example.com';
$config['smtp_server'] = 'tls://smtp.example.com';
$config['plugins'] = ['enigma', 'managesieve', 'password'];

Obviously, replace example.com with your actual email server address!

Because we chose a SOHO setup, we use SQLite instead of MySQL so Roundcube has to save all its working data on a SQLite file.

We enable three plugins for Roundcube:

  • Enigma — Allows the generation of private/public key pairs to encrypt emails and decrypt once received and manages the public keys of your contacts;
  • Managesieve — Create and edit sieve rules for incoming emails;
  • Password — Allows users to change their own passwords.

A final note on enigma

The private/public key pairs are stored in /var/lib/roundcubemail/enigma/ . When migrating the server or performing backups, don’t forget to include this directory.

Note: The Enigma plugin in Roundcube does not require the php-gnupg extension to work. Instead, it relies on the Crypt_GPG PHP library, which invokes the system’s gpg binary directly. This makes the setup more portable and compatible with AlmaLinux, where the PHP extension is often unavailable or not packaged at all. As long as GnuPG is installed and properly configured, the Enigma plugin can manage keys and encrypt/decrypt messages seamlessly.

Leave a Reply

Your email address will not be published. Required fields are marked *