I run my own mail server and for years I’ve used squirrelmail as it was a simple interface that just worked and I never really use many of the advanced web mail features anyway. The squirrelmail project hasn’t really advanced a whole lot though and while they do keep up the security fixes and make it work with the latest releases of php there’s been no real development in quite some time so with the move to a new hosted server I decided it was time for a change. I decided to go with RoundCube Mail. The instructions are identical for Fedora as well.
Initial Install
RoundCube is packaged in EPEL and while 0.8.6 isn’t the latest release the ability to “yum install” works for me.
Install the roundcubemail package, mysql and mod_nss for HTTPS (or mod_ssl if you prefer), I’m assuming here you already have a working imap/smtp server. So just a:
yum install roundcubemail mysql-server mod_nss
I plan to use a MySQL DB so to create that I did the following to create the DB and db user:
# mysql -u root -p mysql> create database roundcubemail; mysql> create user roundcube; mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'changeme'; mysql> FLUSH PRIVILEGES; mysql> quit # mysql -u root -p roundcubemail < /usr/share/doc/roundcubemail-0.8.6/SQL/mysql.initial.sql
To configure RoundCube to access the database edit /etc/roundcubemail/db.inc.php:
$rcmail_config['db_dsnw'] = 'mysql://roundcube:changeme@localhost/roundcubemail';
To configure RoundCube for mail server settings edit /etc/roundcubemail/main.inc.php:
$rcmail_config['default_host'] = 'localhost';
The only config changes I made for the mod_nss was to change the default port from 8443 to the standard HTTPS port of 443 by editing /etc/httpd/conf.d/nss.conf
Configure RoundCube URL and various other apache config like enforcing HTTP edit /etc/httpd/conf.d/roundcubemail.conf:
Alias /webmail /usr/share/roundcubemailRewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I'll likely tweak the apache config a little more but that ensures its running over SSL for now.
Finally restart apache to make it work π with a "service httpd restart"
Fixes to enable running SELinux in Enforcing mode
Initial on testing I wad getting an error in the apache logs about writing to logs. I figured this might be a SELinux error so I did a quick setenforce 0 to test my theory and I was right on.
[error] [client 192.168.100.1] PHP Warning: Error writing to log file /var/log/roundcubemail/errors; Please check permissions in /usr/share/roundcubemail/program/include/main.inc on line 1965
To fix running in enforcing mode I needed to change two SELinux settings. The first was to set the log directory with http_log and the second was to allow httpd to connect to the network. Fixed easily with these two commands:
chcon -R system_u:object_r:httpd_log_t:s0 /var/log/roundcubemail setsebool -P httpd_can_network_connect=1
Now I don't need to upset Major Hayden or make Dan weep π
Fixing the date display
The date column in the mail initially didn't display. Looking at the apache logs I needed to set the php date.timezone setting in /etc/php.ini. I have users in a number of timezones so I was a little concerned at first of chosing one in particular but it doesn't seem to make much difference. Just search for date.timezone in /etc/php.ini and your good to go.
Conclusion
I like my new mail setup. The migration has enabled me to clean up a number of things I've wanted to for some time and just never got around to it. All the commands are basically identical on Fedora or any other EL6 clones. Hopefully it will be useful for others, and of course feedback is welcome.
I believe that instead of
chcon -R system_u:object_r:httpd_log_t:s0 /var/log/roundcubemail
it’s always better to run
semanage fcontext -a -t httpd_log_t ‘/var/log/roundcubemail(/.*)?’
restorecon -v -R /var/log/
Life happens and sometimes it is helpful to be able to run restorecon without fear of what labels I am going to damage.
Ah, good to know! Thanks π
I don’t know if it’s the same for EPEL / RHEL since I guess the selinux-policy package is part of RHEL and maybe it doesn’t want to set perms for EPEL stuff, but in Fedora, we always try to make it so the SELinux config is correct without manual tweaking for webapps, where possible.
I help maintain roundcube for Fedora; we’re usually careful about sending later builds to older Fedoras (and same goes for EPEL presumably), but it should be trivial to take the latest Fedora SRPM and rebuild it for EPEL if you want the latest. Major version jumps usually require you to update the SQL schemas and manually update the config file for upstream changes – there’s some details in a README in the package. I actually run F17 on my webserver but I use a rebuilt version of the roundcube from F19/Rawhide.