$_ BSDHowTo.ch
How To... Why not..? Scripts Patches RSS logo

Install Roundcube on OpenBSD

Last update: 2020-06-10

Introduction

This post is about installing Roundcube on OpenBSD. The webserver for Roundcube is httpd(8) together with PHP and MariaDB installed from packages(7).

Installation of packages

With the following command you get all the packages installed which are required for Roundcube:

$ doas pkg_add -i roundcubemail mariadb-server php-pdo_mysql

The last package will present you probably with list of available versions to choose from. Make sure you choose the same version of PHP as the one that got installed by the roundcubemail package. At the time of writing this is 7.3 on OpenBSD 6.7-beta.

Configuration of PHP

You must make sure that the required PHP extensions are enabled. The easiest way to this is the following:

$ cd /etc/php-7.3.sample/
$ for i in * ; do
> doas ln -sf ../php-7.3.sample/$i ../php-7.3/
> done

And you need to prepare the chroot(2) for the usage of TLS with PHP:

$ doas mkdir -p /var/www/etc/ssl
$ doas install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf \
  /var/www/etc/ssl/

Make sure you add the above install(1) command to /etc/rc.local in order to update the files whenever the originals change.

Roundcube itself requires some settings in /etc/php-fpm.conf in order to work properly:

; Settings for Roundcube
php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[upload_max_filesize] = 5M
php_admin_value[post_max_size] = 6M
php_admin_value[memory_limit] = 64M
php_flag[zlib.output_compression] = off
php_flag[suhosin.session.encrypt] = off
php_flag[session.auto_start] = off
php_admin_value[session.gc_maxlifetime] = 21600
php_admin_value[session.gc_probability] = 1

Configuration of MariaDB

I recommend that you create a dedicated login group for mysqld - although the package readme tells you that you only need it on busy servers. Append the following to /etc/login.conf:

mysqld:\
    :openfiles-cur=1024:\
    :openfiles-max=2048:\
    :tc=daemon:

Create the initial database for MariaDB:

$ doas mysql_install_db

Now you can start mysqld and secure the installation:

$ doas rcctl enable mysqld
$ doas rcctl start mysqld
$ doas mysql_secure_installation

With httpd(8) chrooted to /var/www you must make sure that the connection to the socket of the MariaDB server is available within the chroot. First create a folder in which the socket will be placed:

$ doas install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql

Second you must change the socket path in /etc/my.cnf:

[client-server]
socket = /var/www/var/run/mysql/mysql.sock

I recommend commenting out the existing entries and place the new ones below the existing ones. You must restart mysqld in order to activate the new socket:

$ doas rcctl restart mysqld

Now you are ready to create the actual database for Roundcube:

$ doas -s
$ mysql
> CREATE DATABASE roundcube /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
> GRANT ALL PRIVILEGES ON roundcube.* TO roundcube@localhost
    -> IDENTIFIED BY 'password';
> QUIT
# mysql roundcube < /var/www/roundcubemail/SQL/mysql.initial.sql
# ^D

Configuration of httpd(8)

For security reasons you should offer access to Roundcube only over https. I presume that you have a proper certificate and its private key stored already on the server. The configuration of httpd(8) is done in httpd.conf(5):

server "default" {
    listen on egress tls port https
    log style combined
    tls certificate "/etc/ssl/roundcube.example.org"
    tls key "/etc/ssl/private/roundcube.example.org"

    root "/roundcubemail"
    directory index index.php

    location "*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
}

types {
    include "/usr/share/misc/mime.types"
}

You may want to change the log style from combined to forwarded if you run httpd(8) behind a proxy that sets the headers X-Forwarded-For and X-Forwarded-Port.

In order to make name resolving work within the chroot(2) you should copy your hosts(5) file and your resolv.conf(5) file into it:

$ cd /var/www
$ for f in hosts resolv.conf ; do doas cp /etc/$f etc/ ; done

Configuration of Roundcube (first part)

The basic configuration of Roundcube is done in its config file /var/www/roundcubemail/config/config.inc.php. You should at least set proper values for the following variables:

$config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
$config['default_host'] = 'imap.example.org';
$config['smtp_server'] = 'smtp.example.org';
$config['des_key'] = 'Exactly24BytesRandomStr!'

Start services and finish setup

The time has come to actually start the required services:

$ doas rcctl enable httpd php73_fpm
$ doas rcctl start httpd php73_fpm

If both start commands return ok you can finish the setup of Roundcube by opening the URL of your server in a browser, e. g. https://roundcube.example.org/:

Login page

Log in with valid credentials for your IMAP server. Then switch to the Settings screen to tweak the configuration of Roundcube further according to your needs:

Initial setup screen