Protect Roundcube with Google reCaptcha

reCaptcha plugin for Roundcube is a good way to protect your server against brute-force attacks on a webmail.

We will install it from the plugin’s repository https://github.com/dsoares/rcguard.git. The addon was tested at the moment of the writing of this guide with RoundCube version 1.3.3.

First make sure you’ve got git installed on your server. If it’s missing you can install it either from your OS repository with a package manager or from sources.

So we start

Installation of the plugin into RoundCube on a Directadmin server starts with the following commands:

cd /var/www/html/roundcube/plugins/
GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
chown -R webapps:webapps rcguard/
cd rcguard
mv config.inc.php.dist config.inc.php

Example of an output from git command:

# GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
Cloning into 'rcguard'...
remote: Counting objects: 470, done.
remote: Total 470 (delta 0), reused 0 (delta 0), pack-reused 470
Receiving objects: 100% (470/470), 82.68 KiB, done.
Resolving deltas: 100% (240/240), done.

If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/admin and get your keys.

It’s important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users’ domains, or use one domain (or hostname) for all users and register one domain at Google.

As soon as you get your keys you should add them into configuration file of the addon.

Open the config file of the plugin in an editor:

vi config.inc.php

and update the following lines with your real public and private keys from Google:

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = '';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = '';

So it would look like the following:

// Public key for reCAPTCHA
$rcmail_config['recaptcha_publickey'] = '6LdNmhYTAAAAAOXR**********OcI6MPpePq2eRn';

// Private key for reCAPTCHA
$rcmail_config['recaptcha_privatekey'] = '6LdNmhYTAAAAAB**********vJxvSjDR9VUiDDq-';

For security reasons some symbols are masked here, in your case there should not be asterisks.

You can change other settings of the plugin per your needs. For example this one:

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;

can be changed to

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;

if you want reCaptcha to be shown after the first failed login (the default is 5).

Create MySQL table for the plugin

Connect to mysql either in a shell with the following command:

mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf da_roundcube

Or use phpMyAdmin interface and choose DB with name da_roundcube.

Then run the following query:

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

quit;

Here is an example of a desirable output: “Query OK, 0 rows affected (0.03 sec)”, and in full it will look as the following:

MariaDB [da_roundcube]> CREATE TABLE `rcguard` (
    ->   `ip` VARCHAR(40) NOT NULL,
    ->   `first` DATETIME NOT NULL,
    ->   `last` DATETIME NOT NULL,
    ->   `hits` INT(10) NOT NULL,
    ->   PRIMARY KEY (`ip`),
    ->   INDEX `last_index` (`last`),
    ->   INDEX `hits_index` (`hits`)
    -> ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 0 rows affected (0.03 sec)

MariaDB [da_roundcube]>
MariaDB [da_roundcube]> quit;
Bye

Updating Roundcube config

Now we need to modify RoundCube main configuration in order to let it work with the addon/plugin.

Register the plugin by modifying config.inc.php:

cd /var/www/html/roundcube/config/
vi ./config.inc.php

Find the line

$config['plugins'] = array(

and change it to:

$config['plugins'] = array(
    'rcguard',

Don’t forget to add a comma in the end of the line.

Protect your customization for future updates

For this you need to copy the plugin and updated config into a special folder of custombuild:

mkdir -p /usr/local/directadmin/custombuild/custom/roundcube/plugins/
cd /usr/local/directadmin/custombuild/custom/roundcube/
cp -r /var/www/html/roundcube/plugins/rcguard ./plugins/
cp -p /var/www/html/roundcube/config/config.inc.php .

Every time when you update a version of RoundCube with Directadmin you will still have the plugin enabled.

That’s it. Tags: directadminE-mailRoundcubepluginsSecurityreCaptcha

ISPConfig 3 + RoundCube Mail 1.0 + Password Management

 Most of the articles on the web are referring to older versions. Below are the steps to get it working.

Assumptions: This works on a Ubuntu Server 12.04 LTS updated with the latest patches, setup by following “Perfect Server” tutorial, then installed with RoundCube 1.0 as the Webmail. (SqurrielMail installation was skipped).

1. Enable the password plugin of RoundCube – The 1.0 version comes with the plugin in the package, but not activated.

Under config/config.inc.php

// ———————————-
// PLUGINS
// ———————————-
// List of active plugins (in plugins/ directory)
$config[‘plugins’] = array(‘password’);

This tells you will activate the ‘password’ plugin which sits inside the plugins/ directory.

2. Then edit the plugins/password/config.inc.php

$config[‘password_db_dsn’] = ‘mysql://ispconfig:[email protected]/dbispconfig’;

“password” is stored in /usr/local/ispconfig/interface/lib/config.inc.php.

3. Edit $config[‘password_query’] in plugins/password/config.inc.php

$config[‘password_query’] = ‘UPDATE mail_user SET password=%c WHERE email=%u LIMIT 1’;

or

$config[password_query] =UPDATE mail_user SET password=%c WHERE email=%u and password=%o LIMIT 1‘;