After successful experiments, roundcube is now up and running in two separate instances for customer-facing and internal email client services...
Most people also synchronize their email inboxes by IMAPS with a regular client like Thunderbird, Outlook, or one of the many iOS and Android clients. However, it's good to have a nice looking webmail client. A few tips that might save others deployment time. I'm copying and pasting from our internal wiki here to save time, these are notes on unique customizations for our intranet roundcube install: ============================== security for apache2 and roundcube apache2 sites-available/000-default.conf edited to add "Redirect permanent / https://webmail.domainname.ca <https://webmail.tengigabit.ca>" , forcing all http port 80 connections to try the server on https port 443. verify that apache2 mod_rewrite and mod_autoindex are working with the .htaccess file in the roundcube directory to deny access to roundcube subdirectories! in /etc/apache2/apache2.conf , for directory /var/www/ you need to change AllowOverride None to "AllowOverride All" If you don't do this, the parameters in the roundcube-provided .htaccess file will be ignored, leaving a huge security hole. Also recommended to set this in the apache2 virtualhost configurations: edit the settings in the default-ssl.conf to reflect the correct servername, serveralias, serveradmin, documentroot and SSL certificate locations on the disk edit to add "SSLProtocol -all +TLSv1.2" to default-ssl file, disallowing all older forms of SSLv2, SSLv3 and TLS. Allow v1.2 only. People should only be accessing the roundcube httpd using a modern browser. configuration lives in /var/www/html/config/config.inc.php follow the normal install steps, however: we need to stop php5.6 and roundcube from verifying the SSL certificate of the IMAP server, because we're using a self signed cert on the postfix/dovecot server php5.6 and higher by default check the SSL cert against the CA, rejecting it if it's not signed by a root CA. Add this to the config.inc.php to stop SSL cert verification by PHP: // set verify_peer = false to allow connection to smtp server using self signed SSL certificate $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_depth' => 3, 'cafile' => '/etc/openssl/certs/ca.crt', ), ); // IMAP socket context options // See http://php.net/manual/en/context.ssl.php // set verify_peer = false to allow connection to smtp server using self signed SSL certificate $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_depth' => 3, 'cafile' => '/etc/openssl/certs/ca.crt', ), );
