SSL for Round Cube

Discussion in 'Plugins/Modules/Addons' started by Unoarm, Apr 19, 2021.

  1. Unoarm

    Unoarm New Member

    How do you secure Roundcube for each domain on your ISPconfig Server?
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think you don't. You just secure the domain(s) and RC as its folders will be secured too.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Users can go to example.com/webmail - if the domain has a valid cert there will be no problem.
     
  4. gring

    gring Member

    Hi.
    If you're talking about having dedicated subdomains, ie webmail.domain.tld, you'll have to set it up manually.
    First, you'll have to create a vhost for apache, ususally in /etc/apache2/sites-availlable/
    you could name it roundcube.vhost
    Code:
    <VirtualHost *:80>
      ServerName webmail.domain.tld
      ServerAlias webmail.domain2.tld
      ServerAlias webmail.domain3.tld
    
    etc...
    
      DocumentRoot /var/lib/roundcube
    
     <Directory /var/lib/roundcube>
       Options FollowSymLinks
       AllowOverride All
       Order allow,deny
       Allow from all
     </Directory>
    </VirtualHost>
    
    then you restart Apache (on Ubuntu with "systemctl restart apache2")

    Then, you can use Certbot to generate the certificate :
    Code:
    certbot certonly --cert-name roundcube --webroot -w /usr/local/ispconfig/interface/acme/ -d webmail.domain.tld -d webmail.domain2.tld -d webmail.domain3.tld 
    The path after -w is important because it is fixed by ispconfig configuration.

    Once the certificate is generated, you can modify your apache vhost, keeping an http section on port 80 to redirect to https :
    Code:
    <VirtualHost *:80>
      ServerName webmail.domain.tld
      ServerAlias webmail.domain2.tld
      ServerAlias webmail.domain3.tld
    
      RewriteEngine on
      RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
    </VirtualHost>
    
    <VirtualHost *:443>
      ServerName webmail.domain.tld
      ServerAlias webmail.domain2.tld
      ServerAlias webmail.domain3.tld
    
      Protocols h2 http/1.1
    
      DocumentRoot /var/lib/roundcube
    
     <Directory /var/lib/roundcube>
       Options FollowSymLinks
       AllowOverride All
       Order allow,deny
       Allow from all
     </Directory>
    
      SSLEngine On
      SSLCertificateFile /etc/letsencrypt/live/roundcube/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/roundcube/privkey.pem
    
    </VirtualHost>
    
    This is the lazy single certificate solution. If you care about not sharing a certificate for all your clients, you can generate individual <virtualhost> sections for each subdomain, and individual certificates instead of using a global "roundcube" one.

    (This would be worth a plugin)
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can do this through the UI, there are several ways to do that. So I would strongly advice you to do it through the UI.
     
  6. gring

    gring Member

    Really ?
    Could you please point me to the right direction ?
    thanks.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Some ideas:
    - Add a website "webmail.example.com", enable LE, and add your clients domains as alias
    - (wildcard SSL cert required) enable the wildcard as subdomain for all sites and add a redirect for webmail. to the vhost through a custom vhost.conf.master
    - Redirect /webmail for all clients to webmail.example.com (recommended way). You can follow this guide: https://www.howtoforge.com/community/threads/redirect-webmail-to-webmail-example-com.86368/
     

Share This Page