Roundcube: Ubuntu 26.04 Instalasi

Berikut setup Roundcube + SMTP + IMAP + POP3 di Ubuntu 26.04 untuk latihan pentest lokal, tanpa firewall, dan tanpa database server. Roundcube tetap butuh database kecil untuk session/preference; jadi kita pakai SQLite lokal, bukan MariaDB/PostgreSQL. Ini sesuai requirement Roundcube yang membutuhkan SMTP, IMAP, HTTP/PHP, dan database backend seperti SQLite. ([GitHub][1])

Desain lab:

Postfix   = SMTP
Dovecot   = IMAP + POP3
Roundcube = Webmail
SQLite    = database lokal Roundcube, tanpa DB server
Domain    = lab.local
User      = user Linux lokal

1. Set hostname lokal

sudo hostnamectl set-hostname mail.lab.local

echo "127.0.1.1 mail.lab.local mail" | sudo tee -a /etc/hosts
echo "lab.local" | sudo tee /etc/mailname

Cek:

hostname -f
cat /etc/mailname

2. Install paket utama

sudo apt update
sudo apt upgrade -y

sudo apt install -y \
  postfix \
  dovecot-core dovecot-imapd dovecot-pop3d \
  apache2 ssl-cert \
  roundcube roundcube-sqlite3 roundcube-plugins \
  php php-cli php-sqlite3 php-mbstring php-xml php-intl php-curl php-zip php-gd \
  mailutils swaks

Saat konfigurasi Postfix muncul:

General type of mail configuration: Internet Site
System mail name: lab.local

Ubuntu sendiri merekomendasikan Postfix untuk SMTP, Maildir sebagai format mailbox, dan Dovecot SASL untuk SMTP-AUTH. ([Ubuntu][2])

3. Konfigurasi Postfix SMTP lokal yang tidak open relay

Edit Postfix memakai `postconf`:

sudo postconf -e "myhostname = mail.lab.local"
sudo postconf -e "mydomain = lab.local"
sudo postconf -e "myorigin = /etc/mailname" 

sudo postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain"
sudo postconf -e "home_mailbox = Maildir/"

sudo postconf -e "inet_interfaces = all"
sudo postconf -e "inet_protocols = ipv4"

sudo postconf -e "mynetworks = 127.0.0.0/8"
sudo postconf -e "relayhost ="
sudo postconf -e "smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination"

sudo postconf -e "disable_vrfy_command = yes"
sudo postconf -e "smtpd_banner = \$myhostname ESMTP"

Aktifkan TLS self-signed untuk lab:

sudo postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem"
sudo postconf -e "smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key"
sudo postconf -e "smtpd_tls_security_level = may"
sudo postconf -e "smtp_tls_security_level = may"
sudo postconf -e "smtpd_tls_auth_only = yes"

Aktifkan SMTP authentication via Dovecot:

sudo postconf -e "smtpd_sasl_type = dovecot"
sudo postconf -e "smtpd_sasl_path = private/auth"
sudo postconf -e "smtpd_sasl_security_options = noanonymous"
sudo postconf -e "smtpd_sasl_auth_enable = yes"

Aktifkan port submission `587`:

sudo postconf -M submission/inet="submission inet n - y - - smtpd"

sudo postconf -P "submission/inet/syslog_name=postfix/submission"
sudo postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
sudo postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
sudo postconf -P "submission/inet/smtpd_relay_restrictions=permit_sasl_authenticated,reject"

4. Konfigurasi Dovecot IMAP + POP3

Buat file konfigurasi lokal:

sudo nano /etc/dovecot/conf.d/99-local-lab.conf

Isi:

protocols = imap pop3

mail_location = maildir:~/Maildir

disable_plaintext_auth = yes
auth_mechanisms = plain login

ssl = required
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Artinya:

IMAP biasa  : 143, tapi login harus STARTTLS
IMAPS       : 993
POP3 biasa  : 110, tapi login harus STARTTLS
POP3S       : 995
SMTP        : 25
Submission  : 587, wajib TLS + login

Dovecot memang mendukung IMAP/POP3 dan dapat memakai system user Linux sebagai backend login. ([doc.dovecot.org][3])

5. Buat user email lokal

Contoh user:

sudo adduser alice
sudo adduser bob

Buat Maildir:

for u in alice bob; do
  sudo -u "$u" mkdir -p /home/$u/Maildir/{cur,new,tmp}
  sudo chmod -R 700 /home/$u/Maildir
done

Alamat emailnya nanti:

alice@lab.local
bob@lab.local

== 6. Konfigurasi Roundcube pakai SQLite

Cek file konfigurasi:

sudo cp /etc/roundcube/config.inc.php /etc/roundcube/config.inc.php.bak
sudo nano /etc/roundcube/config.inc.php

Tambahkan atau sesuaikan:

$config['imap_host'] = 'tls://localhost';
$config['imap_port'] = 143;

$config['smtp_host'] = 'tls://localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';

$config['username_domain'] = 'lab.local';

$config['product_name'] = 'Roundcube Lab';
$config['enable_spellcheck'] = false;

$config['identities_level'] = 3;

$config['plugins'] = [
    'archive',
    'zipdownload'
];

Roundcube memakai `imap_host` untuk koneksi IMAP dan `smtp_host` untuk pengiriman SMTP; `tls://` berarti STARTTLS. ([GitHub][4])

Pastikan permission:

sudo chown -R www-data:www-data /var/lib/roundcube
sudo chown -R root:www-data /etc/roundcube
sudo chmod 640 /etc/roundcube/config.inc.php

7. Apache HTTPS untuk Roundcube

Aktifkan modul Apache:

sudo a2enmod ssl rewrite headers

Buat virtual host:

sudo nano /etc/apache2/sites-available/roundcube-lab.conf

Isi:

<VirtualHost *:80>
    ServerName mail.lab.local
    Redirect permanent / https://mail.lab.local/
</VirtualHost>

<VirtualHost *:443>
    ServerName mail.lab.local

    DocumentRoot /usr/share/roundcube

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "same-origin"

    <Directory /usr/share/roundcube>
        Options -Indexes
        AllowOverride All
        Require all granted
    </Directory>

    <Directory /usr/share/roundcube/config>
        Require all denied
    </Directory>

    <Directory /usr/share/roundcube/temp>
        Require all denied
    </Directory>

    <Directory /usr/share/roundcube/logs>
        Require all denied
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/roundcube_error.log
    CustomLog ${APACHE_LOG_DIR}/roundcube_access.log combined
</VirtualHost>

Aktifkan site:

sudo a2ensite roundcube-lab.conf
sudo a2dissite 000-default.conf
sudo apache2ctl configtest
sudo systemctl reload apache2

8. Restart semua service

sudo systemctl restart postfix
sudo systemctl restart dovecot
sudo systemctl restart apache2

sudo systemctl enable postfix dovecot apache2

Cek status:

systemctl status postfix --no-pager
systemctl status dovecot --no-pager
systemctl status apache2 --no-pager

== 9. Cek port aktif

Karena tanpa firewall, pastikan yang terbuka memang hanya service lab:

sudo ss -tulpn | egrep ':25|:80|:110|:143|:443|:587|:993|:995'

Harus terlihat kira-kira:

25    postfix SMTP
80    apache redirect ke HTTPS
110   dovecot POP3
143   dovecot IMAP
443   apache Roundcube HTTPS
587   postfix submission
993   dovecot IMAPS
995   dovecot POP3S

== 10. Test kirim email lokal

Kirim dari `alice` ke `bob`:

echo "Halo Bob dari Alice" | mail -s "Test lokal" bob@lab.local

Cek mailbox Bob:

sudo ls -lah /home/bob/Maildir/new/

Test SMTP dengan `swaks`:

swaks \
  --to bob@lab.local \
  --from alice@lab.local \
  --server 127.0.0.1 \
  --data "Subject: Test SMTP lokal

Ini test SMTP lokal."

Test IMAP TLS:

openssl s_client -connect localhost:993

Test POP3 TLS:

openssl s_client -connect localhost:995

== 11. Akses Roundcube

Di komputer lab, tambahkan DNS lokal di `/etc/hosts`:

sudo nano /etc/hosts

Isi, sesuaikan IP server:

192.168.0.105 mail.lab.local

Buka browser:

https://mail.lab.local

Login:

Username: alice
Password: password Linux alice

atau:

Username: bob
Password: password Linux bob

12. Hardening minimal walau tanpa firewall

Karena ini tanpa firewall, keamanan harus diambil dari konfigurasi service:

sudo postconf -n
sudo doveconf -n

Pastikan:

mynetworks = 127.0.0.0/8
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
disable_plaintext_auth = yes
ssl = required

Jangan expose server ini ke internet. Roundcube punya riwayat security issue, termasuk XSS dan issue lain yang diperbaiki lewat update Ubuntu, jadi untuk lab tetap jalankan update rutin. ([Ubuntu][5])

Update rutin:

sudo apt update
sudo apt upgrade -y

Log penting:

sudo tail -f /var/log/mail.log
sudo tail -f /var/log/apache2/roundcube_error.log

Ringkas port untuk latihan pentest lokal

| Service    | Port | Fungsi                              |
| - | : | -- |
| SMTP       |   25 | Kirim mail server-to-server / lokal |
| Submission |  587 | Kirim email pakai login             |
| POP3       |  110 | Ambil email via POP3 STARTTLS       |
| POP3S      |  995 | POP3 TLS                            |
| IMAP       |  143 | Ambil email via IMAP STARTTLS       |
| IMAPS      |  993 | IMAP TLS                            |
| HTTP       |   80 | Redirect ke HTTPS                   |
| HTTPS      |  443 | Roundcube webmail                   |

Setup ini cocok untuk lab pentest lokal: service terlihat di jaringan, tetapi tidak menjadi open relay dan tidak memakai database server eksternal.

[1]: https://github.com/roundcube/roundcubemail/wiki/Install-Requirements/ab3a40cda448387594f6c3d49c1f239e62e7711c "Install Requirements · roundcube/roundcubemail Wiki · GitHub"
[2]: https://ubuntu.com/server/docs/how-to/mail-services/install-postfix/ "Install and configure Postfix - Ubuntu Server documentation"
[3]: https://doc.dovecot.org/2.3/configuration_manual/system_users/?utm_source=chatgpt.com "System Users — Dovecot documentation"
[4]: https://github.com/roundcube/roundcubemail/wiki/Configuration "Configuration · roundcube/roundcubemail Wiki · GitHub"
[5]: https://ubuntu.com/security/notices/USN-8132-1 "
     USN-8132-1: Roundcube Webmail vulnerabilities | Ubuntu security notices
   \| Ubuntu"