MUA
Setup roundcube email MUA for webmail.
Setup MTA and MDA before configuration. See Setup.
Ports
MUA Ports
Port
Protocol
Type
Purpose
80
TCP
DISABLE
Roundcube webface
Updated: None
Files
MUA Files
Location
Purpose
/var/www/html/config
Roundcube configuration files
/var/roundcube/db
Roundcube user data; includes per-user contact information
Updated: None
Docker Creation
Configure the mail server before starting the docker container. See Setup.
Docker container should be run in an isolated network given the sensitive and exposed nature of the data and service.
Proxy will forward traffic to the container, so no ports need to be exposed.
roundcube:
image: roundcube/roundcubemail:latest-apache
restart: "unless-stopped"
logging:
driver: syslog
options:
tag: roundcube
environment:
- "ROUNDCUBEMAIL_DEFAULT_HOST=ssl://mail.{DOMAIN}"
- "ROUNDCUBEMAIL_DEFAULT_PORT=993"
- "ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.{DOMAIN}"
- "ROUNDCUBEMAIL_SMTP_PORT=587"
- "ROUNDCUBEMAIL_PLUGINS=archive,zipdownload"
- "ROUNDCUBEMAIL_SKIN=larry"
- "ROUNDCUBEMAIL_UPLOAD_MAX_FILE_SIZE=10M"
- "ROUNDCUBEMAIL_DB_TYPE=sqlite"
volumes:
- "/data/mail/roundcube/config:/var/www/html/config"
- "/data/mail/roundcube/db:/var/roundcube/db"
Warning
Use the explicit Common Name (FQDN) for host URI. PHP requires
certificate validation by default now; and should match the explicit FQDN
on the certificate that the mail server uses.
Note
ROUNDCUBEMAIL_UPLOAD_MAX_FILE_SIZE should match the max file size defined
on the mail server POSTFIX_MESSAGE_SIZE_LIMIT. See
Docker Creation.
Note
See roundcube configuration for configuration guide. See defaults.inc.php for defaults.
Reverse Proxy Setup
Allows you to isolate your containers as well as wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.
Using Subdomains
nginx/conf.d/reverse-proxy.confserver {
listen 443 ssl http2;
server_name roundcube.{DOMAIN} roundcube;
location / {
proxy_pass http://roundcube;
include /etc/nginx/conf.d/proxy-control.conf;
}
}
Using Subpaths
nginx/conf.d/reverse-proxy.confserver {
location /roundcube/ {
proxy_pass http://roundcube;
include /etc/nginx/conf.d/proxy-control.conf;
}
}
Postgres Backend
Postgres may be used to store roundcube data in a centralized location. This assumes that Postgresql is already configured, with an empty database for roundcube to use (see Creating A Database).
psql -U roundcube -f SQL/postgres.initial.sql roundcube
Note
The roundcube DB schema is defined in the roundcube respository.
networks:
db:
external: True
roundcube:
image: roundcube/roundcubemail:latest-apache
networks:
- db
/var/www/html/config/config.inc.php$config[‘db_dsnw’] = ‘pgsql://{USER}:{PASS}@{HOST}/{DB}';
fail2ban Setup
Enable fail2ban for MTA and MDA services.
Use fail2ban for Docker for the base fail2ban service setup.
f2b-system:
volumes:
- /var/log/syslog:/var/log/syslog:ro
Enable logging of sucessful user logins.
/data/mail/roundcube/config/config.inc.php<?php
$config['log_logins'] = true
Roundcube Filters
Custom filter to match roundcube log messages in syslog, with roundcube operating behind a proxy.
/data/filter.d/mail-roundcube.conf# Fail2Ban configuration file for docker roundcube web server behind proxy.
[INCLUDES]
before = common.conf
[Definition]
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*.*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> against .*X-Forwarded-For: <HOST>.*$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> against .*X-Forwarded-For: <HOST> .*$
ignoreregex =
journalmatch = SYSLOG_IDENTIFIER=roundcube
Roundcube Jails
/data/jail.d/roundcube.conf[mail-roundcube]
enabled = true
port = http,https
filter = mail-roundcube
logpath = /var/log/syslog
bantime = -1
findtime = 86400
maxretry = 3
Restart
f2b-docker.