Mail Server on Ubuntu 18.04 Part 5

Welcome to Mail Server on Ubuntu 18.04 Part 5. This is the fifth part of a series of blog posts. We will be adding Roundcube, allowing your users to access their email over a secure HTTPS connection from any browser. We will also briefly talk about monitoring.

Mail Server on Ubuntu 18.04 Part 1
Mail Server on Ubuntu 18.04 Part 2
Mail Server on Ubuntu 18.04 Part 3
Mail Server on Ubuntu 18.04 Part 4

Installing Roundcube

We need to install Roundcube to our mailserver. That in turn needs a web server and PHP, the simplest way to install them is to install the LAMP server package for Ubuntu.

sudo apt install lamp-server^ roundcube roundcube-mysql roundcube-plugins

During the installation you will be asked a number of questions, the first is when configuring roundcube-core. The second is asking for a password that the Roundcube MySQL user will use. Again, I am using MYSQLPasswd01!. Make a note of whatever you use, you may need it in 6 months or a years time just after you have forgotten what it was. 🙂

  • Configure database for Roundcube with dbconfig-common? Yes
  • Database type to be used by roundcube: MySQL
  • MySQL application password for roundcube: MYSQLPasswd01!

MySQL Database Checks

We can now check that Roundcube installed its MySQL database and added the MySQL user correctly. Open a MySQL client prompt and them run the queries shown. The output you see should be similar.

sudo mysql roundcube
mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| postfix            |
| roundcube          |  ==-- This one is new
| sys                |
+--------------------+
6 rows in set (0.00 sec)
 
mysql> SHOW TABLES;
+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache               |
| cache_index         |
| cache_messages      |
| cache_shared        |
| cache_thread        |
| contactgroupmembers |
| contactgroups       |
| contacts            |
| dictionary          |
| identities          |
| searches            |
| session             |
| system              |
| users               |
+---------------------+
14 rows in set (0.00 sec)
 
mysql> SELECT Host, USER, authentication_string FROM mysql.user WHERE USER = 'roundcube';
 
+-----------+------------------+-------------------------------------------+
| Host      | USER             | authentication_string                     |
+-----------+------------------+-------------------------------------------+
| localhost | roundcube        | *EDF23DEBCF2DC746F05AA5EFE6FD45BB0151849B |
+-----------+------------------+-------------------------------------------+
1 rows in set (0.00 sec)

Apache2 Server

Getting all the bits for the web interface working is a little tricky and I hate big bang approaches, where everything is installed and configured in the hope it works first time. We will do little steps and test the web server at each step. If yours does not work, none of the following steps will work either. This approach does mean editing and the re-editing the same files a few times. But that also means we will have better understanding of how we get to our goal. For those in the Sales and Bullshit Marketing department, it means we learn how to do something new :-).

The LAMP server package was installed above. A small change to the config file to get that to work correctly with Roundcube. We need to uncomment the alias as the top of the Roundcube configuration file.

sudo nano /etc/apache2/conf-available/roundcube.conf
 Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /roundcube /var/lib/roundcube

Roundcube Configuration

We need to point Roundcube at our mailserver so the web interface can use the mailserver to send and receive emails. For that we only need to make a few changes and we are ready to test it out.

nano /etc/roundcube/config.inc.php

Find the following options. The first two should always be localhost as the webserver and mailserver are running on the same machine.
default_host and smtp_server should both be changed to “talk tls” set them to ‘tls://%n’. smtp_port we should set to 587 as we have STARTTLS enabled.

The final change is important, create a string exactly 24 characters long as the des_key. Always change this. Just search the internet for random password generator and use one of those. You should end up with something like this ‘^G6R@R^Rn#Fu!Lj2=aSMZ!nP’ but do not use this one 🙂

Add the smtp_helo_host to the end of the file it should contain the domain for your mailserver.

$config['default_host'] = 'tls://%n';
$config['smtp_server'] = 'tls://%n';
$config['smtp_port'] = 587;
 
Make sure you change the 24 character string to something else,
# it must be exactly 24 characters long! upper case lower case 
# numbers and special characters should be included.
$config['des_key'] = 'AbCdEfGh12345IjKlMn67[}!';
 
$config['smtp_helo_host'] = 'dragon.lab';

Time to take those changes into use and restart the Apache server.

sudo systemctl restart apache2.service

We need to make sure that encryption may be used check that the line in master.cf in commented out smtpd_tls_auth_only=yes and that it is not present in main.cf in the /etc/postfix directory. If you followed through Mail Server on Ubuntu 18.04 Part 2 then it should be.

Connecting With Roundcube

You should now be able to load the Roundcube web interface in a browser with http://mailserver/roundcube/. The login will be any user you have added in Mail Server on Ubuntu 18.04 Part 2 as a virtual user. I’m going to use fred.

fred@dragon.lab
MYSQLPasswd01!

If all went well you can now send and receive emails with the web interface from any of our virtual users.

It is worth noting that, if you were using Evolution with POP3 to send/receive test emails there will be no emails in your inbox or sent boxes. This is because Evolution will have deleted them from the server. Roundcube is IMAP and leaves all your data on the sever. It does not store the data on the local machine.

Using A Virtual Web Host

I like to use a virtual web host, which means my users can access the web base emails interface with http://webm.dragon.lab rather than http://mailserver.dragon.lab/roundcube/.
This is reasonably simple to do the second time :-). We will need to disable the Roundcube configuration file. The create a new site file including the contents from the Round cube config file.

sudo nano /etc/apache2/conf-available/roundcube.conf

Comment the alias we uncommented out earlier and add the remaining code at the end of the configuration file.

# Alias /roundcube /var/lib/roundcube

Save that change and exit the editor. Disable the config file as it is not needed as global configuration.

sudo a2disconf roundcube

Create a new site file called roundcube.conf would be good. Copy the contents of the Roundcube configuration file. Finally at the very end of the file add a closing VirtualHost tag.

sudo nano /etc/apache2/sites-available/roundcube.conf

At the very top add the following:

<VirtualHost *:80>
   ServerAdmin postmaster@dragon.lab
   ServerName webm.dragon.lab
   ServerAlias webm
 
   DocumentRoot /var/lib/roundcube
   Include /etc/apache2/conf-available/roundcube.conf
</VirtualHost>
Please note we are now including the configuration for Roundcube here. We should therefore disable its config from conf-enabled.

Save those changes, and enable the site file. To take those changes into use restart the Apache server.

sudo a2disconf roundcube
sudo a2ensite roundcube
sudo systemctl restart apache2.service

You should now be able to use http://webmail.dragon.lab to get to the web interface that is Roundcube.

Securing Your Web Interface With HTTPS

It is all very well allowing users to access their emails with SSL/TLS if they use a traditional email client. But it is daft not allowing them to have the same privacy levels if they use the web interface. We will now convert the HTTP access for the web interface into HTTPS.

Self-signed SSL Certificates

We will need a SSL certificate, there are a number of organizations that offer to provide these free of charge and many many who will charge you for the service. For this post I will be using SSL certificates from Lets Encrypt. They have very good documentation, so there is no need to go through that all again. If you want to use self-signed SSL certificates you can follow this post. For the test server either will do.

Applying the Certificates

There is another small change to the Apache web server so that it will use the SSL certificates and allow HTTPS connections to our web interface.

nano /etc/apache2/sites-available/roundcube.conf

Change your Roundcube file so it looks like the one below. You will need to update the paths for the certificates. The first virtual machine on port 80 catches traffic that was directed to http://webm.dragon.lab and points it over to HTTPS. The second virtual machine is for HTTPS.

<VirtualHost *:80>
  ServerAdmin postmaster@dragon.lab
  ServerName webm.dragon.lab
  ServerAlias webm
 
  # Force all http connections to be https
  <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{SERVER_NAME} =webm.dragon.lab
      RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
  </IfModule> 
</VirtualHost>
 
<IfModule mod_ssl.c>
        SSLStrictSNIVHostCheck off
 
        <VirtualHost *:443>
            ServerAdmin postmaster@dragon.lab
            ServerName webm.dragon.lab
            ServerAlias webm
 
            DocumentRoot /var/lib/roundcube
            Include /etc/apache2/conf-available/roundcube.conf
 
            SSLEngine on
            SSLCertificateFile /etc/letsencrypt/live/webm.dragon.lab/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/webm.dragon.lab/privkey.pem
            Include /etc/letsencrypt/options-ssl-apache.conf  
 
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
            </FilesMatch>
        </VirtualHost>
</IfModule>

Make sure that the Apache modules for SSL and rewrite are enabled and then restart the Apache server to setup the HTTPS access to Roundcube.

sudo a2enmod rewrite ssl
sudo systemctl restart apache2.service

By using http://webm.dragon.lab you will end up at the Roundcube login screen but using HTTPS. When you start off with https://… you carry on using HTTPS. Nice, saves your users from worrying about their own security. If you used a self-signed SSL certificate you will need to accept it, when you a see the message from your browser.

Roundcube plugins

Roundcube has a lot of plugins already installed from the plugins package. Take a look in the directory /usr/share/roundcube/plugins/.

There are a lot of plugins for Roundcube take a look you may find some that you want to use. Unfortunately most of the plugins do not specify what they do in any detail. The search on the page is utter rubbish so you have to go through the list one page at a time. 🙁

Monitoring Mailserver

Now you have a mailserver and have gone to the effort of stopping spam. It is a good idea to monitor that it is working correctly.

pflogsumm

There is a tool, pflogsumm, which looks at your /var/log/mail.log and pulls out a lot of information. The output can be massive but it is well worth looking at. See the man page for more details.

sudo apt install pflogsumm

To get a report out in its simplest form just run:

sudo pflogsumm /var/log/mail.log > pflogsumm.txt

Create a cron job to run once a month/week/day is simple enough.

Mailgraph

Mailgraph is another simple to install monitoring program.

sudo apt install mailgraph

Apache Config

Add the following to a convenient Apache Virtual host file. This configuration also locks the use down to the network 10.1.200.0/24.

            ##############################
            # AWStats
            # https://dragon.lab/awstats/awstats.pl
            ##############################
            Alias /awstatsclasses "/usr/share/awstats/lib/"
            Alias /awstats-icon/ "/usr/share/awstats/icon/"
            Alias /awstatscss "/usr/share/doc/awstats/examples/css"
            ScriptAlias /awstats/ /usr/lib/cgi-bin/
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            <Directory /usr/lib/cgi-bin/>
                  AllowOverride None
                  <RequireAny>
                      Require ip 10.1.200.0/24
                      Require ip 127.0.0.1
                  </RequireAny>
            </Directory>
            <Directory /usr/share/awstats/>
                  <RequireAny>
                      Require ip 10.1.200.0/24
                      Require ip 127.0.0.1
                  </RequireAny>
            </Directory>
            ##############################

Remember to restart the apache web server.

sudo systemctl restart apache2.service

There is nothing else to setup or configure, just load the web page with https://dragon.lab/awstats/awstats.pl. There should be stats already there waiting for you.

Awstats

Installing AWstats is a little more complex so I wrote a post specifically for
Installing AWstats on Ubuntu 18.04

Again the output can be log but is interesting to see.

That brings us to an end of Mail Server on Ubuntu 18.04 Part 5 and all the posts to setup a mailserver on Ubuntu 18.04. It is not perfect but it a good starting point for more experimentation. You now have a pretty good mailserver setup.

One major missing part is a firewall. Time to look at learning iptables or get to know firehol.

I hope this was useful.

Leave a Reply

Your email address will not be published. Required fields are marked *