Webmail

ROLE roundcube, webmail.yml

The webmail.yml top-level playbook configures a separate machine with a Roundcube instance that uses your mail server. We build a Docker image from the current latest version and set up HTTPS with Letsencrypt certs and fail2ban checking to prevent brute-force attacks.

The docker-compose files for this are in /srv/roundcube, and several volumes for the config, preferences database, and source are mounted there. Other volumes are mounted in /var/log. You can rebuild the image at any time with:

$ cd /srv/roundcube
$ docker-compose down
$ docker-compose build
$ docker-compose up -d

Variables

The webmail.yml group vars file holds the webmail settings. The webmail_server_name is the machine name that you are using, and webmail_product_name can be set to a custom title for the pages.

webmail_server_name: 'webmail.{{ domain }}'
webmail_product_name: My Special Webmail

There are some other settings to configure the firewall, fail2ban, and certificates but you should not need to change them. Open up the managesieve port on your mail server firewall by adding 'sieve' to the firewall services in the cloud.yml group settings

Why These Packages?

I did not plan to install a webmail package, or any other PHP-based application, but it turns out that Chromebooks do not have a built-in IMAP client. There are ways to install one, but this may not be an option in certain situations.

Roundcube is a solid choice and probably the most popular open source webmail. It seems to have twice as many active developers and addresses issues quicker than Rainloop. The new reactive UI is a big improvement over the previous layout, although as of this writing, it is still too new for the Debian backports.

Since I wanted the latest version, I decided to just use the Docker image published by the project. Running it in a container is also a nice way to limit any damage from possible PHP exploits. It was my first experience with Docker and I was quite impressed at having a basic image running in about ten minutes.

Getting the firewall and fail2ban working properly took a bit more effort though. We had been doing simple filtering on the INPUT chain, and needed to reorganize our rules to protect docker containers. We also needed to make some changes in the docker image to expose the logs so that we could scan them with fail2ban.

Ultimately though, I was very impressed with Docker, and will happily use it again.