Enigma plugin (PGP encryption) Roundcube

You have to set up Enigma plugin :

cp /……../roundcubemail/plugins/enigma/config.inc.php.dist /……../roundcubemail/plugins/enigma/config.inc.php

<?php

// Enigma Plugin options
// --------------------

// A driver to use for PGP. Default: "gnupg".
$config['enigma_pgp_driver'] = 'gnupg';

// A driver to use for S/MIME. Default: "phpssl".
$config['enigma_smime_driver'] = 'phpssl';

// Enables logging of enigma operations (including Crypt_GPG debug info)
$config['enigma_debug'] = true;

// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$config['enigma_pgp_homedir'] = enigma/home;

// Location of gpg binary. By default it will be auto-detected.
// This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
$config['enigma_pgp_binary'] = '/usr/bin/gpg';

// Location of gpg-agent binary. By default it will be auto-detected.
// It's used with GnuPG 2.x.
$config['enigma_pgp_agent'] = '';

// Location of gpgconf binary. By default it will be auto-detected.
// It's used with GnuPG >= 2.1.
$config['enigma_pgp_gpgconf'] = '';

// Enables signatures verification feature.
$config['enigma_signatures'] = true;

// Enables messages decryption feature.
$config['enigma_decryption'] = true;

// Enables messages encryption and signing feature.
$config['enigma_encryption'] = true;

// Enable signing all messages by default
$config['enigma_sign_all'] = false;

// Enable encrypting all messages by default
$config['enigma_encrypt_all'] = false;

// Enable attaching a public key to all messages by default
$config['enigma_attach_pubkey'] = false;

// Default for how long to store private key passwords (in minutes).
// When set to 0 passwords will be stored for the whole session.
$config['enigma_password_time'] = 0;

// With this option you can lock composing options
// of the plugin forcing the user to use configured settings.
// The array accepts: 'sign', 'encrypt', 'pubkey'.
//
// For example, to force your users to sign every email,
// you should set:
//     - enigma_sign_all     = true
//     - enigma_options_lock = array('sign')
//     - dont_override       = array('enigma_sign_all')
$config['enigma_options_lock'] = array();

 

Installation and settings Enigma plugin

Preferences > Settings > Encryption you’ll have the possibility to enable/disable encryption-related features.

The keys are stored on the server.

Figure 1. Encryption preferences section.
enigma_settings

Goto Settings > PGP Keys. There you can generate a new key pair or import keys.

Figure 2. Key generation form.
enigma_keygen

Figure 3. Key information frame.
enigma_keyinfo

Composing messages

Figure 4. Encryption options in compose.
enigma_compose

 

 

Protect Roundcube with Google reCaptcha

reCaptcha plugin for Roundcube is a good way to protect your server against brute-force attacks on a webmail.

We will install it from the plugin’s repository https://github.com/dsoares/rcguard.git. The addon was tested at the moment of the writing of this guide with RoundCube version 1.3.3.

First make sure you’ve got git installed on your server. If it’s missing you can install it either from your OS repository with a package manager or from sources.

So we start

Installation of the plugin into RoundCube on a Directadmin server starts with the following commands:

cd /var/www/html/roundcube/plugins/
GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
chown -R webapps:webapps rcguard/
cd rcguard
mv config.inc.php.dist config.inc.php

Example of an output from git command:

# GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
Cloning into 'rcguard'...
remote: Counting objects: 470, done.
remote: Total 470 (delta 0), reused 0 (delta 0), pack-reused 470
Receiving objects: 100% (470/470), 82.68 KiB, done.
Resolving deltas: 100% (240/240), done.

If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/admin and get your keys.

It’s important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users’ domains, or use one domain (or hostname) for all users and register one domain at Google.

As soon as you get your keys you should add them into configuration file of the addon.

Open the config file of the plugin in an editor:

vi config.inc.php

and update the following lines with your real public and private keys from Google:

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = '';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = '';

So it would look like the following:

// Public key for reCAPTCHA
$rcmail_config['recaptcha_publickey'] = '6LdNmhYTAAAAAOXR**********OcI6MPpePq2eRn';

// Private key for reCAPTCHA
$rcmail_config['recaptcha_privatekey'] = '6LdNmhYTAAAAAB**********vJxvSjDR9VUiDDq-';

For security reasons some symbols are masked here, in your case there should not be asterisks.

You can change other settings of the plugin per your needs. For example this one:

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;

can be changed to

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;

if you want reCaptcha to be shown after the first failed login (the default is 5).

Create MySQL table for the plugin

Connect to mysql either in a shell with the following command:

mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf da_roundcube

Or use phpMyAdmin interface and choose DB with name da_roundcube.

Then run the following query:

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

quit;

Here is an example of a desirable output: “Query OK, 0 rows affected (0.03 sec)”, and in full it will look as the following:

MariaDB [da_roundcube]> CREATE TABLE `rcguard` (
    ->   `ip` VARCHAR(40) NOT NULL,
    ->   `first` DATETIME NOT NULL,
    ->   `last` DATETIME NOT NULL,
    ->   `hits` INT(10) NOT NULL,
    ->   PRIMARY KEY (`ip`),
    ->   INDEX `last_index` (`last`),
    ->   INDEX `hits_index` (`hits`)
    -> ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 0 rows affected (0.03 sec)

MariaDB [da_roundcube]>
MariaDB [da_roundcube]> quit;
Bye

Updating Roundcube config

Now we need to modify RoundCube main configuration in order to let it work with the addon/plugin.

Register the plugin by modifying config.inc.php:

cd /var/www/html/roundcube/config/
vi ./config.inc.php

Find the line

$config['plugins'] = array(

and change it to:

$config['plugins'] = array(
    'rcguard',

Don’t forget to add a comma in the end of the line.

Protect your customization for future updates

For this you need to copy the plugin and updated config into a special folder of custombuild:

mkdir -p /usr/local/directadmin/custombuild/custom/roundcube/plugins/
cd /usr/local/directadmin/custombuild/custom/roundcube/
cp -r /var/www/html/roundcube/plugins/rcguard ./plugins/
cp -p /var/www/html/roundcube/config/config.inc.php .

Every time when you update a version of RoundCube with Directadmin you will still have the plugin enabled.

That’s it. Tags: directadminE-mailRoundcubepluginsSecurityreCaptcha

ISPConfig 3 + RoundCube Mail 1.0 + Password Management

 Most of the articles on the web are referring to older versions. Below are the steps to get it working.

Assumptions: This works on a Ubuntu Server 12.04 LTS updated with the latest patches, setup by following “Perfect Server” tutorial, then installed with RoundCube 1.0 as the Webmail. (SqurrielMail installation was skipped).

1. Enable the password plugin of RoundCube – The 1.0 version comes with the plugin in the package, but not activated.

Under config/config.inc.php

// ———————————-
// PLUGINS
// ———————————-
// List of active plugins (in plugins/ directory)
$config[‘plugins’] = array(‘password’);

This tells you will activate the ‘password’ plugin which sits inside the plugins/ directory.

2. Then edit the plugins/password/config.inc.php

$config[‘password_db_dsn’] = ‘mysql://ispconfig:[email protected]/dbispconfig’;

“password” is stored in /usr/local/ispconfig/interface/lib/config.inc.php.

3. Edit $config[‘password_query’] in plugins/password/config.inc.php

$config[‘password_query’] = ‘UPDATE mail_user SET password=%c WHERE email=%u LIMIT 1’;

or

$config[password_query] =UPDATE mail_user SET password=%c WHERE email=%u and password=%o LIMIT 1‘;