What do we have here?
As a preface I'd like to shortly describe my config. As usual I'm using jails, separate for roundcube, mysql and mail software (postfix/dovecot). Access to jailed lighttpd is provided by nginx working as a proxy. Your configuration migt be different, but that doesn't really matter, with few tweaks solution provided here should work anyways.
Ok, let's do it!
I assume you have alredy created separate jail for your webmail (howto here), or you're not jailing it. In either way you have to install:
- roundcube
- lighttpd with php support
- mysql-client (optional - more info below)
Build both from ports, make sure to select MySQL support for lighttpd.
cd /usr/ports/mail/roundcube && make install clean
cd /usr/ports/www/lighttpd && make install clean
cd /usr/ports/databases/mysql56-client/ && make install clean
Now we need a database
Switch to your mysql jail from your main host:
ezjail-admin console mysql
Log in to mysql as root and execute following:
create database roundcube;
GRANT ALL PRIVILEGES ON roundcube.* TO roundcube@'%' IDENTIFIED BY '<roundcube password here>';
The percent sign (in place of hostname), means that connection will be opened from REMOTE host (the other jail), if you put here 'localhost' mysql won't let you in from your webmail jail.
If you have troubles choosing right password, like I do, I recommend using some password generator, like apg:
/usr/ports/security/apg && make install clean
root@pig:~# apg -m16
krotVuwrewdAgdaw
LumerarkAfImUdvi
joopwoiphGoapmip
Tawlyatyekghieg7
kuitMahyft8owmEa
Vom8DreChredtiEs
Now you have to create database structure for roundcube. Luckily it's just as easy as restore of an .sql file (can be found in default roundcube directory structure). You can do it from within your webmail jail or from your mysql jail, both ways will go. Doing it from you webmail jail will also test if your connection and password works, so this is the method I have choosen (that's the reason why I have installed mysql-client earlier)
cd /usr/local/www/roundcube/SQL/
mysql -u roundcube -p roundcube < mysql.initial.sql
You'll be prompted for roundcube db password.
lighttpd configuration
Very simple configuration is needed. What we need to do is to enable mod_fastcgi - which will handle php for us:
cat /usr/local/etc/lighttpd/modules.conf
server.modules = (
"mod_access",
"mod_fastcgi",
)
And configure it in lighttpd.conf or in conf.d/fastcgi.conf
fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/local/bin/php-cgi",
"socket" => "/tmp/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "16",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"broken-scriptfilename" => "enable"
)))
And last thing is to edit lighttpd.conf to- point document root location to place where roundcube is installed (default: /usr/local/www/roundcube):
server.document-root = "/usr/local/www/roundcube/"
roundcube configuration
There are two files which have to be edited:
1. /usr/local/www/roundcube/config/config.inc.php 2. /usr/local/www/roundcube/config/defaults.inc.php
Now - I assume you use ssl connection to your imap server. I prefer that even if I have my mail services running on the same physical machine (different jail though) and all network traffic is internal - loopback to loopkack. Another thing is that I use submission for smtp, therefore smtp port is 587:
vi /usr/local/www/roundcube/config/config.inc.php
$config['db_dsnw'] = 'mysql://roundcube:<same password as you used in mysql>@mysql/roundcube';
$config['default_host'] = 'ssl://10.0.0.3';
$config['smtp_server'] = 'mail.thinkunix.org';
$config['smtp_port'] = 587;
First line describes mysql connection, which is split into: 'protocol://database name:password to the db@hostname serving mysql/table name';
In second line I had to use a little trick by putting 'ssl' as protocol, otherwise roundcube refuses to work even if port 993 is specified. Not sure if this is a feature or bug ;)
In the other file:
vi /usr/local/www/roundcube/config/defaults.inc.php
$config['default_port'] = 993;
That should be it.
nginx configuration
There are two (well, more) ways to give access to your webmail jail, one is to do redirect via pf (examples here), OR we can use nginx as a proxy. This is a bit more flexible, as we can point different (sub)domans to different jails. Here's how:
1. Install nginx from ports:
cd /usr/ports/www/nginx && make install clean
2. configure that sucker - proxy goes like that:
server {
listen IP ADDRESS HERE:443;
ssl_certificate /usr/local/etc/nginx/ssl/webmail.thinkunix.org/webmail.thinkunix.org.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/webmail.thinkunix.org/webmail.thinkunix.org.key;
ssl on;
server_name webmail.thinkunix.org;
location / {
root /usr/local/www/nginx;
index index.html index.htm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://JAIL IP HERE:80;
}
}
As you have noticed redirect is pointing to port 80 of our webmail server (lighttpd in my case) which means it's not SSL, but it does not matter as encryption is handled by nginx and traffic is redirected directly from lighttpd to nginx to user (encrypted).
3. create self signed certificate for nginx:
cd /usr/local/etc/nginx
mkdir -p ssl/webmail.thinkunix.org/
cd ssl/webmail.thinkunix.org/
sudo openssl genrsa -des3 -out webmail.thinkunix.org.key 2048
openssl genrsa -des3 -out webmail.thinkunix.org.key 2048
openssl req -new -key webmail.thinkunix.org.key -out webmail.thinkunix.org.csr
cp webmail.thinkunix.org.key webmail.thinkunix.org.key.orig
openssl rsa -in webmail.thinkunix.org.key.orig -out webmail.thinkunix.org.key
openssl x509 -req -days 365 -in webmail.thinkunix.org.csr -signkey webmail.thinkunix.org.key -out webmail.thinkunix.org.crt
And change ownership to www:www and permissions to 600:
chown -R www:www /usr/local/etc/nginx/ssl/webmail.thinkunix.org/
chmod 600 /usr/local/etc/nginx/ssl/webmail.thinkunix.org/
That's it.
important update
If you're using my ezjail + pf config then setup provided above will not work. Reason is your redirect rule in pf config for port 80 (www). In current setup nginx is doing the job (acting as proxy) - therefore you have to disable (simply comment it out and reload pf) line which is redirecting incoming www traffic to your www jail's port 80 and create entries in nginx config for every domain/vhost you might have.