Webmail mit Roundcube unter CentOS 7.x

Benötigt man statt einer Groupwarelösung wie Horde nur einen Webmailer, bietet sich der Webmailer Roundcube an. Dieser Webmailer ist zum einen einfach und schnell installiert und zeichnet sich durch seine Robustheit aus.

Für die Installation des Webmailers benötigen wir noch ein paar PHP-Pakete, die wir Dank der Intergration des epel-Repositories mit Hilfe von yum einfach installieren können. Im Detail sind das folgende Pakete:

• php-pspell
• aspell-de
• php-mcrypt
• GraphicsMagick

 # yum install php-pspell aspell-de php-mcrypt GraphicsMagick -y

Für die deutsche Rechtschreibkorrektur gibt es im EPEL-Repository für CentOS 7.x (noch)¹⁾ kein RPM. Abhilfe schafft hier das Repository mailserver.guru. Haben wir das mailserver.guru Repository eingebunden wir das Paket aspell-de automatisch bei der Installation mit dem obigen Aufruf installiert.

Alternativ kann man natürlich acu das Paket manuell installieren. Hierzu laden wir das Paket aspell-de-20030222-1.el7.centos.x86_64.rpm auf unseren Rechner.

 # cd /usr/local/src/packages/

 # wget http://repo.mailserver.guru/7/x86_64/aspell-de-20030222-1.el7.centos.x86_64.rpm

Anschließend installieren wir dieses RPM mit Hilfe von yum.

 # yum localinstall --nogpgcheck aspell-de-20030222-1.el7.centos.x86_64.rpm

Wie immer kann man sich mit Hilfe des Aufrufes rpm -qil <Paketname> anzeigen lassen, was jedes einzelne Paket mit in das System gebracht hat.

Die Installation von Roundcube selbst ist kein Hexenwerk, braucht man doch nur das entsprechende RPM-Paket mit Hilfe von yum installieren.

 # yum install roundcubemail -y

Da wir einen eigenen vHOST für den WEB-Mailer anbieten wollen und keine Unterverzeichniss-Konfiguration, kommentieren wir den Inhalt der Apache-Konfigurationsdatei /etc/httpd/conf.d/roundcubemail.conf aus.

 # vim /etc/httpd/conf.d/roundcubemail.conf

/etc/httpd/conf.d/roundcubemail.conf

##
## Round Cube Webmail is a browser-based multilingual IMAP client
##
#
#Alias /roundcubemail /usr/share/roundcubemail
#
## Define who can access the Webmail
## You can enlarge permissions once configured
#
#<Directory /usr/share/roundcubemail/>
#    <IfModule mod_authz_core.c>
#        # Apache 2.4
#        Require local
#    </IfModule>
#    <IfModule !mod_authz_core.c>
#        # Apache 2.2
#        Order Deny,Allow
#        Deny from all
#        Allow from 127.0.0.1
#        Allow from ::1
#    </IfModule>
#</Directory>
#
## Define who can access the installer
## keep this secured once configured
#
#<Directory /usr/share/roundcubemail/installer/>
#    <IfModule mod_authz_core.c>
#        # Apache 2.4
#        Require local
#    </IfModule>
#    <IfModule !mod_authz_core.c>
#        # Apache 2.2
#        Order Deny,Allow
#        Deny from all
#        Allow from 127.0.0.1
#        Allow from ::1
#    </IfModule>
#</Directory>
#
## Those directories should not be viewed by Web clients.
#<Directory /usr/share/roundcubemail/bin/>
#    Order Allow,Deny
#    Deny from all
#</Directory>
#<Directory /usr/share/roundcubemail/plugins/enigma/home/>
#    Order Allow,Deny
#    Deny from all
#</Directory>

Für unsere Webmailer richten wir uns nun einen geeigneten vHost ein. Im Konfigurationsverzeichnis unseres Apache-Webservers legen wir uns eine neue vHOST-Konfigurationsdatei an.

 # vim /etc/httpd/conf.d/vhost_443_roundcubemail.conf

/etc/httpd/conf.d/vhost_443_roundcubemail.conf

#
# roundcubemail.sec-mail.guru
#
<VirtualHost *:80>
        ServerAdmin webmaster@nausch.org
        ServerName roundcubemail.sec-mail.guru
        ServerPath /
 
        <Location />
                Options -Indexes +FollowSymLinks
                Require all granted
        </Location>
 
        RewriteEngine on
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
        DirectoryIndex index.php
 
        ErrorLog logs/roundcubemail_error.log
        CustomLog logs/roundcubemail_access.log combined
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin webmaster@nausch.org
        ServerName roundcubemail.sec-mail.guru
        ServerPath /
        DocumentRoot "/usr/share/roundcubemail"
 
        # Django
        # Required, because there is a host with same ServerName and
        # ServerAlias LISTENING ON PORT 80, - and if these lines are
        # not present, and .htaccess-Files or LDAP-Access is enabled
        # for one or more Directory the host on PORT 443 and PORT 80
        # will ASK for .htaccess ord LDAP-Access, so please remember
        # ----------------------------------------------------------
        # -- DO NOT DELETE THE FOLLOWING LINES, STARTING WITH SSL --
        # --         WHEN USING .htaccess or LDAP-Access!         --
        # ----------------------------------------------------------
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/pki/tls/private/CAcert-class3-wildcard.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        SSLCertificateChainFile /etc/pki/tls/private/CAcert_chain.crt
 
        # Define who can access the Webmail
        # You can enlarge permissions once configured
        <Directory /usr/share/roundcubemail/>
                <IfModule mod_authz_core.c>
                # before configuration
                Require local
                # after configuration
                # Require all granted
                </IfModule>
        </Directory>
 
        # Define who can access the installer
        # keep this secured once configured
        <Directory /usr/share/roundcubemail/installer/>
                <IfModule mod_authz_core.c>
                # while configuration
                Require host nausch.org
                # after configuration
                # Require local
                </IfModule>
        </Directory>
 
        # Those directories should not be viewed by Web clients.
        <Directory /usr/share/roundcubemail/bin/>
                Require all denied
        </Directory>
        <Directory /usr/share/roundcubemail/plugins/enigma/home/>
                Require all denied
        </Directory>
 
        DirectoryIndex index.php
        ErrorLog logs/postfixadmin_error.log
        CustomLog logs/postfixadmin_access.log combined
</VirtualHost>

...
 
        # Define who can access the Webmail
        # You can enlarge permissions once configured
 
        <Directory /usr/share/roundcubemail/>
                <IfModule mod_authz_core.c>
                # before configuration
                # Require local
                # after configuration
                Require all granted
                </IfModule>
        </Directory>
 
 
        # Define who can access the installer
        # keep this secured once configured
        <Directory /usr/share/roundcubemail/installer/>
                <IfModule mod_authz_core.c>
                # while configuration
                # Require host 10.0.0
                # after configuration
                Require local
                </IfModule>
        </Directory>
 
...

Bevor unseren Webserver starten, damit der neue vHost auch bedient werden kann, überprüfen wir die Konfiguration noch auf syntaktische Fehler.

 # apachectl -t

Ist alles O.K. dann steht einem Reload des Apache httpd nichts mehr im Wege.

 # systemctl reload httpd.service

Wollen wir den Reload kontrollieren, fragen wir den Status des Webservers ab.

 # systemctl status httpd.service

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Tue 2014-09-09 18:26:47 CEST; 3h 48min ago
  Process: 20019 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 20368 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
 Main PID: 20024 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─20024 /usr/sbin/httpd -DFOREGROUND
           ├─20372 /usr/sbin/httpd -DFOREGROUND
           ├─20373 /usr/sbin/httpd -DFOREGROUND
           ├─20374 /usr/sbin/httpd -DFOREGROUND
           ├─20375 /usr/sbin/httpd -DFOREGROUND
           └─20376 /usr/sbin/httpd -DFOREGROUND

Sep 09 22:15:07 vml000097.dmz.nausch.org systemd[1]: Reloading The Apache HTTP Server.
Sep 09 22:15:07 vml000097.dmz.nausch.org systemd[1]: Reloaded The Apache HTTP Server.

Im RPM finden wir eine ausführliche Dokumentation zur Konfiguration von roundcubemail # cat /usr/share/doc/roundcubemail-1.0.2/INSTALL

/usr/share/doc/roundcubemail-1.0.2/INSTALL

INTRODUCTION
============
 
This file describes the basic steps to install Roundcube Webmail on your
web server. For additional information, please also consult the project's
wiki page at http://trac.roundcube.net/wiki
 
 
REQUIREMENTS
============
 
* The Apache, Lighttpd, Cherokee or Hiawatha web server
* .htaccess support allowing overrides for DirectoryIndex
* PHP Version 5.2.1 or greater including
   - PCRE, DOM, JSON, XML, Session, Sockets (required)
   - PHP Data Objects (PDO) with driver for either MySQL, PostgreSQL or SQLite (required)
     Note: MySQL database driver requires PHP 5.3.7 or newer.
   - Libiconv (required)
   - Multibyte String (mbstring)
   - Mcrypt (supporting Triple DES)
   - Fileinfo (optional)
   - Zip (recommended)
* PEAR packages distributed with Roundcube or external:
   - Mail_Mime 1.8.1 or newer
   - Mail_mimeDecode 1.5.5 or newer
   - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
   - Net_IDNA2 0.1.1 or newer
   - Auth_SASL 1.0.6 or newer
   - Net_Sieve 1.3.2 or newer (for managesieve plugin)
   - Crypt_GPG 1.2.0 or newer (for enigma plugin)
* php.ini options (see .htaccess file):
   - error_reporting E_ALL & ~E_NOTICE (or lower)
   - memory_limit > 16MB (increase as suitable to support large attachments)
   - file_uploads enabled (for attachment upload features)
   - session.auto_start disabled
   - zend.ze1_compatibility_mode disabled
   - suhosin.session.encrypt disabled
   - mbstring.func_overload disabled
   - magic_quotes_runtime disabled
   - magic_quotes_sybase disabled
   - register_globals disabled (PHP < 5.4)
* PHP compiled with OpenSSL to connect to IMAPS and to use the spell checker
* A MySQL (4.0.8 or newer), PostgreSQL, MS SQL Server (2005 or newer) database engine
  or SQLite support in PHP
* One of the above databases with permission to create tables
* An SMTP server (recommended) or PHP configured for mail delivery
 
 
INSTALLATION
============
 
1. Decompress and put this folder somewhere inside your document root
2. Make sure that the following directories (and the files within)
   are writable by the webserver
   - /temp
   - /logs
3. Create a new database and a database user for Roundcube (see DATABASE SETUP)
4. Point your browser to http://url-to-roundcube/installer/
5. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
6. After creating and testing the configuration, remove the installer directory
7. Check Known Issues section of this file
8. Done!
 
 
CONFIGURATION HINTS
===================
 
Roundcube writes internal errors to the 'errors' log file located in the logs
directory which can be configured in config/config.inc.php. If you want ordinary
PHP errors to be logged there as well, enable the 'php_value error_log' line
in the .htaccess file and set the path to the log file accordingly.
 
By default the session_path settings of PHP are not modified by Roundcube.
However if you want to limit the session cookies to the directory where
Roundcube resides you can uncomment and configure the according line
in the .htaccess file.
 
 
DATABASE SETUP
==============
 
Note: Database for Roundcube must use UTF-8 character set.
 
* MySQL
-------
Setting up the mysql database can be done by creating an empty database,
importing the table layout and granting the proper permissions to the
roundcube user. Here is an example of that procedure:
 
# mysql
> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost
    IDENTIFIED BY 'password';
> quit
 
# mysql roundcubemail < SQL/mysql.initial.sql
 
Note 1: 'password' is the master password for the roundcube user. It is strongly
recommended you replace this with a more secure password. Please keep in
mind: You need to specify this password later in 'config/db.inc.php'.
 
 
* SQLite
--------
Versions of sqlite database engine older than 3 aren't supported.
Database file and structure is created automatically by Roundcube.
Make sure your configuration points to some file location and that the
webserver can write to the file and the directory containing the file.
 
 
* PostgreSQL
------------
To use Roundcube with PostgreSQL support you have to follow these
simple steps, which have to be done as the postgres system user (or
which ever is the database superuser):
 
$ createuser -P roundcube
$ createdb -O roundcube -E UNICODE roundcubemail
$ psql -U roundcube -f SQL/postgres.initial.sql roundcubemail
 
Note: in some system configurations you might need to add '-U postgres' to
createuser and createdb commands.
 
 
* Microsoft SQL Server
----------------------
Language/locale of the database must be set to us_english (1033). More info
on this at http://trac.roundcube.net/ticket/1488918.
 
 
Database cleaning
-----------------
To keep your database slick and clean we recommend to periodically execute
bin/cleandb.sh which finally removes all records that are marked as deleted.
Best solution is to install a cronjob running this script daily.
 
 
MANUAL CONFIGURATION
====================
 
First of all, copy the sample configuration file config/config.inc.php.sample
to config/config.inc.php and make the necessary adjustments according to your
environment and your needs. More configuration options can be copied from the
config/defaults.inc.php file into your local config.inc.php file as needed.
Read the comments above the individual configuration options to find out what
they do or read http://trac.roundcube.net/wiki/Howto_Install for even more
guidance.
 
You can also modify the default .htaccess file. This is necessary to
increase the allowed size of file attachments, for example:
        php_value       upload_max_filesize     2M
 
 
UPGRADING
=========
 
If you already have a previous version of Roundcube installed,
please refer to the instructions in UPGRADING guide.
 
 
OPTIMISING
==========
 
There are two forms of optimisation here, compression and caching, both aimed
at increasing an end user's experience using Roundcube Webmail. Compression
allows the static web pages to be delivered with less bandwidth. The index.php
of Roundcube Webmail already enables compression on its output. The settings
below allow compression to occur for all static files. Caching sets HTTP 
response headers that enable a user's web client to understand what is static
and how to cache it.
 
The caching directives used are:
 * Etags - sets at tag so the client can request is the page has changed
 * Cache-control - defines the age of the page and that the page is 'public'
   This enables clients to cache javascript files that don't have private 
   information between sessions even if using HTTPS. It also allows proxies
   to share the same cached page between users.
 * Expires - provides another hint to increase the lifetime of static pages.
 
For more information refer to RFC 2616.
 
Side effects:
-------------
These directives are designed for production use. If you are using this in
a development environment you may get horribly confused if your webclient
is caching stuff that you changed on the server. Disabling the expires 
parts below should save you some grief.
 
If you are changing the skins, it is recommended that you copy content to 
a different directory apart from 'default'.
 
Apache:
-------
To enable these features in apache the following modules need to be enabled:
 * mod_deflate
 * mod_expires
 * mod_headers
 
The optimisation is already included in the .htaccess file in the top 
directory of your installation.
 
If you are using Apache version 2.2.9 and later, in the .htaccess file
change the 'append' word to 'merge' for a more correct response. Keeping
as 'append' shouldn't cause any problems though changing to merge will 
eliminate the possibility of duplicate 'public' headers in Cache-control.
 
Lighttpd:
---------
With Lightty the addition of Expire: tags by mod_expire is incompatible with
the addition of "Cache-control: public". Using Cache-control 'public' is 
used below as it is assumed to give a better caching result.
 
Enable modules in server.modules:
    "mod_setenv"
    "mod_compress"
 
Mod_compress is a server side cache of compressed files to improve its performance.
 
$HTTP["host"] == "www.example.com" {
 
    static-file.etags = "enable"
    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Etag.use-mtimeDetails
    etag.use-mtime = "enable"
 
    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSetEnv
    $HTTP["url"] =~ "^/roundcubemail/(plugins|skins|program)" {
        setenv.add-response-header  = ( "Cache-Control" => "public, max-age=2592000")
    }
 
    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModCompress
    # set compress.cache-dir to somewhere outside the docroot.
    compress.cache-dir   = var.statedir + "/cache/compress"
 
    compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
}
 
 
KNOWN ISSUES
============
 
Installations with uw-imap server should set imap_disabled_caps = array('ESEARCH')
in main configuration file. ESEARCH implementation in this server is broken (#1489184).

Ein Großteil der Benutzer-Konfigurationsdaten werden in einer mySQL-Datenbankgespeichert und vorgehalten.

Diese mySQL-Datenbank und der zugehörige Datenbankuser werden wird nun im ersten Schritt anlegen.

Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.

  # mysql -h mysql.dmz.nausch.org -u root -p

Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 188332
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Dort legen wir als aller erst einmal eine Datenbank mit dem Namen roundcubemail an.

 mysql> create database roundcubemail;

 Query OK, 1 row affected (0.04 sec)

Anschließend legen wir uns einen Datenbankuser an, denen wir entsprechende Rechte an der, gerade angelegten Datenbank horde einräumen. Als Namen nehme wir einfach hode_admin_user.

 mysql> CREATE USER 'roundcube_user'@'10.0.0.97' IDENTIFIED BY 'n491o5rbgsDK67DeM9sCHfzd';

 Query OK, 0 rows affected (0.00 sec)

und

 mysql> CREATE USER 'roundcube_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'n491o5rbgsDKMS67DeM9sCHfzd';

 Query OK, 0 rows affected (0.00 sec)

Dem gerade angelegten Datenbankuser für Roundcube gewähren wir nun die nötigen Rechte, damit dieser vom Webserver aus, Tabellen anlegen, befüllen und verändern darf.

 mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube_user'@'10.0.0.97' IDENTIFIED BY 'n491o5rbgsDKMS67DeM9sCHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

 Query OK, 0 rows affected (0.00 sec)

und

 mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'n491o5rbgsDKMS67DeM9sCHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

 Query OK, 0 rows affected (0.00 sec) 

Zum Ende unserer mySQL-Userkonfiguration weisen wir unserem Nutzer die Berechtigungen zu.

 mysql> FLUSH PRIVILEGES;

 Query OK, 0 rows affected (0.00 sec)

Als nächstes überprüfen wir, ob der zuvor angelegt User/Zugang auch funktioniert.

 # mysql -D roundcubemail -h mysql.dmz.nausch.org -u roundcube_user -p

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 188556
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [roundcubemail]>
<code>
<code>MySQL [roundcubemail]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| roundcubemail      |
+--------------------+
2 rows in set (0.00 sec)

MySQL [roundcubemail]>

Da der Test positiv ausgefallen ist, können wie uns wieder von unserem Datenbankserver abmelden.

MySQL [roundcubemail]> quit

Bye

Die von Roundcube benötigten Datebank-Tabellen, erstellen wir mit folgendem Aufruf.

 # mysql -D roundcubemail -h mysql.dmz.nausch.org -u roundcube_user -p < /usr/share/roundcubemail/SQL/mysql.initial.sql 

 Enter password: 

Damit roundcube später auf unsere Datenbank auch zugreifen kann, definieren wir nun die Datenbankanbindung von roundcube an unseren MySQL-Datenbank-Server.

Im Verzeichnis /etc/roundcubemail/ finden wir die entsprechende Konfigurationsdatei db.inc.php. Diese bearbeiten wir mit dem Editor unserer Wahl, z.B. vim.

 # vim /etc/roundcubemail/db.inc.php