Wednesday, December 10, 2014

How To Secure Roundcube Installation Of Virtualmin

Roundcube Logo

Roundcube is a PHP open source webmail that allow users to read and send emails through a user-friendly interface.

Installing Roundcube in Virtualmin

In Virtualmin, choose the virtual host you want to install the script on, and click "Install Scripts":
VirtualMin install scripts

Choose "Roundcube" and click "Show Install Options"
Installing Roundcube in Virtualmin

Choose a database and enter the path, I chose "webmail" for the path.
Configuring Roundcube in Virtualmin

Securing Roundcube in Virtualmin

Roundcube provides many plugins to further enhance and secure the script. The plugins can be found on:

In order to prevent brute force attacks on the email, we install the following plugins:

Installing antiBruteForce Plugin:

Download antiBruteForce plugin from:
Extract it and upload it to your roundcube/plugins directory.

or download and extract it from ssh into roundcube's plugins directory:
tar -xvf antiBruteForce_v2.0.tar.gz

Go to roundcube config directory, open and edit,
Scroll to the bottom of the file, and search for $config['plugins'] = and add a new value called antiBruteForce, so that it will look like this:
$config['plugins'] = array('virtuser_file',

Now try to enter an incorrect password several times, and roundcube should block your IP address for a while.
Roundcube Brute Force Blocking

Installing Dr Captcha Plugin:

Note: In order to successfully use this plugin, you must have PHP GD installed.

Download Dr Captcha from here:

Extract & upload it to the plugins directory of roundcube.

You should have a directory called plugins/drcaptcha.
  1. Go to plugins/drcaptcha and rename to and open it and modify the plugin's settings as you wish.
  2. In order to enable the plugin, go back to roundcube config directory, open and edit
  3. Scroll to the bottom of the file, and search for $config['plugins'] = 
  4. Add a new value called drcaptcha, so that it will look like this:
$config['plugins'] = array('virtuser_file',
Refresh the login screen and it should look as follows:
roundcube captcha

Force https to prevent eavesdropping:

Open config/
Search for:
$config['force_https'] = false;
and change it to:
$config['force_https'] = 443;

Additionally, if you have fail2ban installed, you can create a filter to scan the log files and ban the offending IPs.

Questions? Post them in the comment box below!