The directory `/decrypted/roundcube` is not writeable by the user
`www-data`. This leads to "unable to connect to the database" errors
from roundcube on new installs. This patch corrects the problem.
- managesieve :: this allows sieve filters to be edited through a
brower
- twofactor_gauthenticator :: allow optional two-factor authentication
when logging into webmail
- carddav :: sync ownCloud contacts with roundcube
Roundcube is not available on Jessie except in backports. This role is
also out of date and needs reviewed and updated for the release included
in backports. Roundcube could alternatively be installed from source as
recommended by the maintainers.
Use "modern" SSLCipherSuite per Mozilla recommendations.
See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341.
Also explicitly disabled SSLCompression and enables OCSP stapling.
We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...
- Added backports to apt configuration.
- Updated roundcube task to use the roundcube backport.
- Updated roundcube's main.inc.php configuration file to use the one included
in the backport distribution. Migrated configuration parameters from the
existing configuration file except in cases where it looked like the Roundcube
team was changing defaults that were not touched by Sovereign's configuration.
I may have gotten some wrong; needs review by Sovereign maintainer.
Added rules for dealing with old virtualhost files in
/etc/apache2/sites-available and old (dangling) symlinks in
/etc/apaches/sites-enabled.
Also, remove unnecessary apache2 restart after creating a new
virtualhost but not yet enabling it.
On Ubuntu 14.04 LTS, a2ensite automatically appends ".conf" to the filename it looks for in /etc/apache2/sites-available/
Therefore, the file "/etc/apache2/sites-available/roundcube" must be renamed to
"/etc/apache2/sites-available/roundcube.conf".
Security issue:
This file must be owned by root, otherwise it is a huge security issue (User www-data could modify the file and get root at next restart of apache).
The previous behaviour relied on managesieve copying over the
.dovecot.sieve file into the user's directory. I found this to be
particularly fragile. For instance, re-deploying roundcube without
dovecot could overwrite the .dovecot.sieve symlink and break
managesieve.
A better approach is to use the global sieve configuration that
roundcube provides and not mess with dovecot's files directly.