Mail Server on Ubuntu 16.04 Part 5

Welcome to Mail Server on Ubuntu 16.04 Part 5. This is the fifth part of a series of blog posts. We will be adding Roundcube, allowing your users to access their email over a secure HTTPS connection from any browser.

Mail Server on Ubuntu 16.04 Part 1
Mail Server on Ubuntu 16.04 Part 2
Mail Server on Ubuntu 16.04 Part 3
Mail Server on Ubuntu 16.04 Part 4

Installing Roundcube

We need to install Roundcube to our mailserver. That in turn needs a web server and PHP, the simplest way to install them is to install the LAMP server package for Ubuntu.

sudo apt-get install lamp-server^ roundcube roundcube-mysql roundcube-plugins \
             roundcube-plugins-extra

During the installation you will be asked a number of questions, the first is when configuring roundcube-core. The second is asking for a password that the Roundcube MySQL user will use. Again, I am using MYSQLPasswd01!. Make a note of what ever you use, you may need it in 6 months or a years time just after you have forgotten what it is. 🙂

  • Configure database for Roundcube with dbconfig-common? Yes
  • MySQL application password for roundcube: MYSQLPasswd01!

MySQL Database Checks

We can now check that Roundcube installed its MySQL database and added the MySQL user correctly. Open a MySQL client prompt and them run the queries show. The output you see should be similar.

mysql roundcube
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| postfix            |
| roundcube          |  ==-- This one is new
| sys                |
+--------------------+
6 rows in set (0.00 sec)
 
mysql> show tables;
+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache               |
| cache_index         |
| cache_messages      |
| cache_shared        |
| cache_thread        |
| contactgroupmembers |
| contactgroups       |
| contacts            |
| dictionary          |
| identities          |
| searches            |
| session             |
| system              |
| users               |
+---------------------+
14 rows in set (0.00 sec)
 
SELECT Host, USER, authentication_string FROM mysql.user WHERE USER = 'roundcube';
 
+-----------+------------------+-------------------------------------------+
| Host      | USER             | authentication_string                     |
+-----------+------------------+-------------------------------------------+
| localhost | roundcube        | *EDF23DEBCF2DC746F05AA5EFE6FD45BB0151849B |
+-----------+------------------+-------------------------------------------+
1 rows in set (0.00 sec)

Apache2 Server

Getting all the bits for the web interface working is a little tricky and I hate big bang approaches, where everything is installed and configured in the hope it works first time. We will do little steps and test the web server at each step. If yours does not work, none of the following steps will work either. This approach does mean editing and the re-editing the same files a few times.

We installed a LAMP server above, The ‘A’ in LAMP is an Apache2 web server. We need to make a small changes to get that to work correctly with Roundcube. We need to uncomment the alias as the top of the Roundcube configuration file.

Personally I believe putting the configuration file in conf-available is wrong. We are configuring a site and therefore the configuration files should be in sites-available. I will leave the files where they are for this post.

nano /etc/apache2/conf-available/roundcube.conf
 Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /roundcube /var/lib/roundcube

Roundcube Configuration

We need to point Roundcube at our mailserver so the web interface can use the mailserver to send and receive emails. We only need to make a few changes and we are ready to test it out.

nano /etc/roundcube/config.inc.php

Find the following options. The first two should always be localhost as the webserver and mailserver are running on the same machine. The SMTP HELO host will be whatever domain your mailserver is to be used for. The final change to important create a string exactly 24 characters long as the des_key. Always change this. There are loads of random password generators on the web use one of those.

$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
 
$config['smtp_helo_host'] = 'dragon.lab';
 
Make sure you change the 24 character string to something else, it must be exactly 24 characters long!
$config['des_key'] = 'AbCdEfGh12345IjKlMn67[}!';

Time to take those changes into use and restart the Apache server.

sudo service apache2 restart

You should now be able to load the Roundcube web interface in a browser with http://mailserver/roundcube/. The login will be any user you have added in Mail Server on Ubuntu 16.04 Part 2 as a virtual user. I’m going to use:

fred@dragon.lab
MYSQLPasswd01!

We can now send and receive emails with the web interface from any of our virtual users.

Using A Virtual Web Host

I like to use a virtual web host, which means my users can access the web base emails interface with http://webm.dragon.lab rather than http://mailserver.dragon.lab/roundcube/.
This is reasonably simple to do the second time :-). We will need to make some changes to the Roundcube configuration file.

sudo nano /etc/apache2/conf-available/roundcube.conf

Comment the alias we uncommented out earlier and add the remaining code at the end of the configuration file.

# Alias /roundcube /var/lib/roundcube
 
<VirtualHost *:80>
   ServerAdmin postmaster@dragon.lab
   ServerName webm.dragon.lab
   ServerAlias webm
 
   DocumentRoot /var/lib/roundcube
</VirtualHost>

Take those changes into use and restart the Apache server.

sudo service apache2 restart

Securing Your Web Interface With HTTPS

It is all very well allowing users to access their emails with SSL/TLS if they use a traditional email client. But is is daft not allowing them to have the same privacy levels if they use the web interface. We will now convert the HTTP access for the web interface into HTTPS.

Self-signed SSL Certificates

We will need a SSL certificate, there are a number of organizations that offer to provide these free of charge and many many who will charge you for the service. As I personally know all my email users I can use a self-signed SSL certificate and for your test server you can do that too. When my users see the big scary message they know to check the certificate and to check with me that it has changed.

All of the following needs to be performed from a root prompt. You can do the following with sudo but if more complex and would involve unnecessary hoop jumping.

# Start a root login
sudo -i
cd
touch $HOME/.rnd
nano ssl_config.txt
RANDFILE               = .rnd
 
[ req ]
default_bits           = 1024
distinguished_name     = req_distinguished_name
prompt                 = no
 
[ req_distinguished_name ]
# Country Code for where you or your company are based
C                      = GB
# County or Stage for you or your company
ST                     = Middle England
# Town where you are based
L                      = Sleepy Village
O                      = Dragons Can Fly
OU                     = IT
CN                     = webm.dragon.lab
emailAddress           = admin at dragon dot org dot uk

The command below creates a SSL certificate for 1 year, 365 days ignoring leap years 🙂 We then change the permissions so www-data can read the private key.

openssl req -new -x509 -days 365 -nodes -config ssl_config.txt \
            -out /etc/ssl/certs/roundcube.pem \
            -keyout /etc/ssl/private/roundcube.key

You should see some output similar to the following:

Generating a 2048 bit RSA private key
...........................................++++++
...............++++++
writing new private key to '/etc/ssl/private/roundcube.key'
-----
chmod 640 /etc/ssl/private/roundcude.key
chown root:www-data /etc/ssl/private/roundcube.key

There is another small change to the Apache web server so that it will use the SSL certificates and allow HTTPS connections to our web interface.

nano /etc/apache2/conf-available/roundcube.conf

The text we added above needs to change to the following:

<VirtualHost *:80>
  ServerAdmin postmaster@dragon.lab
  ServerName webm.dragon.lab
  ServerAlias webm
 
  DocumentRoot /var/lib/roundcube
 
  # Force all http connections to be https
  RewriteEngine on
  RewriteCond %{HTTPS} !^on$ [NC]
  RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
</VirtualHost>
 
<IfModule mod_ssl.c>
        SSLStrictSNIVHostCheck off
 
        <VirtualHost *:443>
            ServerAdmin postmaster@dragon.org.uk
            ServerName webm.dragon.org.uk
            ServerAlias webm
 
            DocumentRoot /var/lib/roundcube
 
            SSLEngine on
            SSLCertificateFile      /etc/ssl/certs/roundcube.pem
            SSLCertificateKeyFile   /etc/ssl/private/roundcube.key
 
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
            </FilesMatch>
        </VirtualHost>
</IfModule>

Make sure that the Apache modules for SSL and rewrite are enabled and then restart the Apache server to setup the https access to Roundcube.

a2enmod rewrite ssl
service apache2 restart

You can exit from the root shell with logout, exit or CTRL-d.

When you access http://webm.dragon.lab you will end up at the Roundcube login screen but using HTTPS. If you start off with https://… you carry on using HTTPS. Nice, saves your users from worrying about their own security. If you used a self-signed SSL certificate you will need to accept it, when you a see the message from your browser.

Roundcube plugins

Roundcube has a lot of plugins already installed from the plugins package. Take a look in the directory /usr/share/roundcube/plugins/.

There are a lot of plugins for roundcube take a look you may find some that you want to use. Unfortunately most of the plugins do not specify what they do in any detail. The search on the page is utter rubbish so you have to go through the list one page at a time. 🙁

That brings us to an end of Mail Server on Ubuntu 16.04 Part 5 and the posts to setup a mailserver on Ubuntu 16.04. It is not perfect but it a good starting point for more experimentation. You now have a pretty good mailserver setup. It does not have a firewall. Time to look at learning iptables or get to know firehol.

Leave a Reply

Your email address will not be published. Required fields are marked *