SSL for Round Cube

Discussion in 'Plugins/Modules/Addons' started by Unoarm, Apr 19, 2021.

  1. Unoarm

    Unoarm New Member

    How do you secure Roundcube for each domain on your ISPconfig Server?
     
    Unoarm, Apr 19, 2021
    #1
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think you don't. You just secure the domain(s) and RC as its folders will be secured too.
     
    ahrasis, Apr 19, 2021
    #2
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Users can go to example.com/webmail - if the domain has a valid cert there will be no problem.
     
    Th0m, Apr 19, 2021
    #3
  4. gring

    gring Member

    Hi.
    If you're talking about having dedicated subdomains, ie webmail.domain.tld, you'll have to set it up manually.
    First, you'll have to create a vhost for apache, ususally in /etc/apache2/sites-availlable/
    you could name it roundcube.vhost
    Code:
    <VirtualHost *:80>
  ServerName webmail.domain.tld
  ServerAlias webmail.domain2.tld
  ServerAlias webmail.domain3.tld

etc...

  DocumentRoot /var/lib/roundcube

 <Directory /var/lib/roundcube>
   Options FollowSymLinks
   AllowOverride All
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>
    then you restart Apache (on Ubuntu with "systemctl restart apache2")

    Then, you can use Certbot to generate the certificate :
    Code:
    certbot certonly --cert-name roundcube --webroot -w /usr/local/ispconfig/interface/acme/ -d webmail.domain.tld -d webmail.domain2.tld -d webmail.domain3.tld
    The path after -w is important because it is fixed by ispconfig configuration.

    Once the certificate is generated, you can modify your apache vhost, keeping an http section on port 80 to redirect to https :
    Code:
    <VirtualHost *:80>
  ServerName webmail.domain.tld
  ServerAlias webmail.domain2.tld
  ServerAlias webmail.domain3.tld

  RewriteEngine on
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
</VirtualHost>

<VirtualHost *:443>
  ServerName webmail.domain.tld
  ServerAlias webmail.domain2.tld
  ServerAlias webmail.domain3.tld

  Protocols h2 http/1.1

  DocumentRoot /var/lib/roundcube

 <Directory /var/lib/roundcube>
   Options FollowSymLinks
   AllowOverride All
   Order allow,deny
   Allow from all
 </Directory>

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/roundcube/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/roundcube/privkey.pem

</VirtualHost>
    This is the lazy single certificate solution. If you care about not sharing a certificate for all your clients, you can generate individual <virtualhost> sections for each subdomain, and individual certificates instead of using a global "roundcube" one.

    (This would be worth a plugin)
     
    gring, May 30, 2021
    #4
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can do this through the UI, there are several ways to do that. So I would strongly advice you to do it through the UI.
     
    Th0m, May 30, 2021
    #5
  6. gring

    gring Member

    Really ?
    Could you please point me to the right direction ?
    thanks.
     
    gring, May 30, 2021
    #6
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Some ideas:
    - Add a website "webmail.example.com", enable LE, and add your clients domains as alias
    - (wildcard SSL cert required) enable the wildcard as subdomain for all sites and add a redirect for webmail. to the vhost through a custom vhost.conf.master
    - Redirect /webmail for all clients to webmail.example.com (recommended way). You can follow this guide: https://www.howtoforge.com/community/threads/redirect-webmail-to-webmail-example-com.86368/
     
    Th0m, Jun 1, 2021
    #7

Share This Page