Enigma plugin (PGP encryption) Roundcube signature

You have to set up enigma plugin :

cp /……../roundcubemail/plugins/enigma/config.inc.php.dist /……../roundcubemail/plugins/enigma/config.inc.php


// Enigma Plugin options
// --------------------

// A driver to use for PGP. Default: "gnupg".
$config['enigma_pgp_driver'] = 'gnupg';

// A driver to use for S/MIME. Default: "phpssl".
$config['enigma_smime_driver'] = 'phpssl';

// Enables logging of enigma operations (including Crypt_GPG debug info)
$config['enigma_debug'] = true;

// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$config['enigma_pgp_homedir'] = enigma/home;

// Location of gpg binary. By default it will be auto-detected.
// This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
$config['enigma_pgp_binary'] = '/usr/bin/gpg';

// Location of gpg-agent binary. By default it will be auto-detected.
// It's used with GnuPG 2.x.
$config['enigma_pgp_agent'] = '';

// Location of gpgconf binary. By default it will be auto-detected.
// It's used with GnuPG >= 2.1.
$config['enigma_pgp_gpgconf'] = '';

// Enables signatures verification feature.
$config['enigma_signatures'] = true;

// Enables messages decryption feature.
$config['enigma_decryption'] = true;

// Enables messages encryption and signing feature.
$config['enigma_encryption'] = true;

// Enable signing all messages by default
$config['enigma_sign_all'] = false;

// Enable encrypting all messages by default
$config['enigma_encrypt_all'] = false;

// Enable attaching a public key to all messages by default
$config['enigma_attach_pubkey'] = false;

// Default for how long to store private key passwords (in minutes).
// When set to 0 passwords will be stored for the whole session.
$config['enigma_password_time'] = 0;

// With this option you can lock composing options
// of the plugin forcing the user to use configured settings.
// The array accepts: 'sign', 'encrypt', 'pubkey'.
// For example, to force your users to sign every email,
// you should set:
//     - enigma_sign_all     = true
//     - enigma_options_lock = array('sign')
//     - dont_override       = array('enigma_sign_all')
$config['enigma_options_lock'] = array();

from here

In this article I described how we implemented client-side encryption in Roundcube using Mailvelope. There’s another approach for encryption, it is the Enigma plugin. It implements all the functionality using server-side GNUPG software. So, the big difference in these is that: Mailvelope keeps your keys in the browser, Enigma stores them on the server. In the current state Enigma however, has a lot more features.

Installation and settings

To use Enigma just enable it as any other plugin. Then in Preferences > Settings > Encryption you’ll see a set of options that will give you possibility to enable/disable encryption-related features.

NOTE: As keys are stored on the server, make sure the directory used as a storage has proper permissions, and it’s good to move it somewhere out of the location accessible from the web (even if secured by .htaccess rules).

Figure 1. Encryption preferences section.

Keys management

To manage your keys goto Settings > PGP Keys. There you can generate a new key pair or import keys. See the following screenshots for more details.

Figure 2. Key generation form.

Figure 3. Key information frame.

Composing messages

In message compose screen a new toolbar button is added with popup where you can decide if the message have to be signed and/or encrypted. The behaviour and the icon is slightly different than the one used for Mailvelope functionality. Also, note that we did not change the compose screen in any way, so all standard features like responses and spellchecking actually work.

Figure 4. Encryption options in compose.


You can find the Enigma plugin code in Roundcube 1.0 and 1.1, but only the version in Roundcube 1.2 (current git-master) is usable. I put a lot of work into this plugin and I hope there will be users that will use it. It depends on you if that solution will be extended with S/MIME or other features in future versions. Current state is described in the plugin README file .


Protect Roundcube with Google reCaptcha

reCaptcha plugin for Roundcube is a good way to protect your server against brute-force attacks on a webmail.

We will install it from the plugin’s repository https://github.com/dsoares/rcguard.git. The addon was tested at the moment of the writing of this guide with RoundCube version 1.3.3.

First make sure you’ve got git installed on your server. If it’s missing you can install it either from your OS repository with a package manager or from sources.

So we start

Installation of the plugin into RoundCube on a Directadmin server starts with the following commands:

cd /var/www/html/roundcube/plugins/
GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
chown -R webapps:webapps rcguard/
cd rcguard
mv config.inc.php.dist config.inc.php

Example of an output from git command:

# GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
Cloning into 'rcguard'...
remote: Counting objects: 470, done.
remote: Total 470 (delta 0), reused 0 (delta 0), pack-reused 470
Receiving objects: 100% (470/470), 82.68 KiB, done.
Resolving deltas: 100% (240/240), done.

If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/admin and get your keys.

It’s important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users’ domains, or use one domain (or hostname) for all users and register one domain at Google.

As soon as you get your keys you should add them into configuration file of the addon.

Open the config file of the plugin in an editor:

vi config.inc.php

and update the following lines with your real public and private keys from Google:

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = '';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = '';

So it would look like the following:

// Public key for reCAPTCHA
$rcmail_config['recaptcha_publickey'] = '6LdNmhYTAAAAAOXR**********OcI6MPpePq2eRn';

// Private key for reCAPTCHA
$rcmail_config['recaptcha_privatekey'] = '6LdNmhYTAAAAAB**********vJxvSjDR9VUiDDq-';

For security reasons some symbols are masked here, in your case there should not be asterisks.

You can change other settings of the plugin per your needs. For example this one:

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;

can be changed to

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;

if you want reCaptcha to be shown after the first failed login (the default is 5).

Create MySQL table for the plugin

Connect to mysql either in a shell with the following command:

mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf da_roundcube

Or use phpMyAdmin interface and choose DB with name da_roundcube.

Then run the following query:

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;


Here is an example of a desirable output: “Query OK, 0 rows affected (0.03 sec)”, and in full it will look as the following:

MariaDB [da_roundcube]> CREATE TABLE `rcguard` (
    ->   `ip` VARCHAR(40) NOT NULL,
    ->   `first` DATETIME NOT NULL,
    ->   `last` DATETIME NOT NULL,
    ->   `hits` INT(10) NOT NULL,
    ->   PRIMARY KEY (`ip`),
    ->   INDEX `last_index` (`last`),
    ->   INDEX `hits_index` (`hits`)
    -> ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 0 rows affected (0.03 sec)

MariaDB [da_roundcube]>
MariaDB [da_roundcube]> quit;

Updating Roundcube config

Now we need to modify RoundCube main configuration in order to let it work with the addon/plugin.

Register the plugin by modifying config.inc.php:

cd /var/www/html/roundcube/config/
vi ./config.inc.php

Find the line

$config['plugins'] = array(

and change it to:

$config['plugins'] = array(

Don’t forget to add a comma in the end of the line.

Protect your customization for future updates

For this you need to copy the plugin and updated config into a special folder of custombuild:

mkdir -p /usr/local/directadmin/custombuild/custom/roundcube/plugins/
cd /usr/local/directadmin/custombuild/custom/roundcube/
cp -r /var/www/html/roundcube/plugins/rcguard ./plugins/
cp -p /var/www/html/roundcube/config/config.inc.php .

Every time when you update a version of RoundCube with Directadmin you will still have the plugin enabled.

That’s it. Tags: directadminE-mailRoundcubepluginsSecurityreCaptcha

ISPConfig 3 + RoundCube Mail 1.0 + Password Management

 Most of the articles on the web are referring to older versions. Below are the steps to get it working.

Assumptions: This works on a Ubuntu Server 12.04 LTS updated with the latest patches, setup by following “Perfect Server” tutorial, then installed with RoundCube 1.0 as the Webmail. (SqurrielMail installation was skipped).

1. Enable the password plugin of RoundCube – The 1.0 version comes with the plugin in the package, but not activated.

Under config/config.inc.php

// ———————————-
// ———————————-
// List of active plugins (in plugins/ directory)
$config[‘plugins’] = array(‘password’);

This tells you will activate the ‘password’ plugin which sits inside the plugins/ directory.

2. Then edit the plugins/password/config.inc.php

$config[‘password_db_dsn’] = ‘mysql://ispconfig:[email protected]/dbispconfig’;

“password” is stored in /usr/local/ispconfig/interface/lib/config.inc.php.

3. Edit $config[‘password_query’] in plugins/password/config.inc.php

$config[‘password_query’] = ‘UPDATE mail_user SET password=%c WHERE email=%u LIMIT 1’;


$config[password_query] =UPDATE mail_user SET password=%c WHERE email=%u and password=%o LIMIT 1‘;