Webmail with roundcube, postfix and dovecot

Marcos Dione

2023-05-27 14:18

Note: the coherence in this post is not my usual level, mostly because it's an edit of something I dictated to my phone and later transcripted with whisper. Rambling to a phone for 15m is not the same as sitting down a couple of hours to write. So pardon for the apparent incoherence.

I have had the same email account for more than 20, maybe 25 years, and this account lives in a computer that used to be an important computer at the university, but now it's just a VM. That means that all my personal emails goes to a computer that cannot really handle all the volume I have accumulated in those 20, 25 years. To cope with that I've been fetching all the emails into my personal laptop at home, and then do a backup to my home server. That way I always have all the email in my computer.

But lately I'm not so much at my computer as I used to be as before. To start with, I don't work on that computer like I used to, and also I have less computer time than before (kids, family, friends, other activities). That means that most of the time I cannot read my email because it's stuck in a mutt session on my laptop at home. What I do have most of the time with me is my phone, so what can I do to make my phone be able to reach those emails at home? And even sometimes I don't even have my phone, and I only have someone else's computer. How can I reach my emails there?

The solution is not so simple, but it involves this home server that I have. The idea is to set up an email server on it that will do basically four different things. One of them will be to fetch all the emails from the small server, my personal computer will not do that anymore. Second, it will have a SMTP server that will have that VM as a smart host, and forward all emails to it. Third, it will provide an IMAP server that will serve all those emails, and fourth, it will provide a webmail interface.

That home server is running Debian, so that means that I will preferably install things via packages, and luckily, most of the software is already available. For the SMTP server I will use Postfix, for the IMAP server I will use Dovecot, and finally for the webmail I will use RoundCube.

The first thing I set up was Postfix, and it was quite easy. I started by configuring it with dpkg-reconfigure -p low postfix so it would ask all the questions about the email setup. It was not good enough because I needed to authenticate to the smart host, so there was some further configuration on that, but it's very well documented, so it was easy to do.

The second part was the IMAP server, and it was also very easy. Dovecot does not ask you anything at install time, but the configuration is quite easy, especially when you use PAM authentication. Once I had Dovecot running with authentication, I connected Postfix to Dovecot to do authentication. It was also easy to use the Let's Encrypt certificates with both services.

Then it came to the time to do RoundCube. Installing it was quite easy. Doing IMAP was quite easy too, especially because it's not using the IMAPS port, but only the IMAP port via localhost. Then it came the time to configure it to send email. Initially Postfix was doing SMTP and submission without authentication and RoundCube by default uses it, and it was complaining when the AUTH capability was not being offered before switching to TLS:

 SMTP server does not support authentication

I didn't have authentication on Postfix, so I configured Postfix with Dovecot, and it worked on the phone (K9 on Android), but on RoundCube it still refused to work. Asking in #postfix@libera.chat people told me that AUTH will not appear until the client turned on TLS, which RoundCube didn't seem to be doing, so I decided that I would rather have implicit encryption instead. I turned off SMTP and submission and turned on submissions on Postfix. K9 connected to it fine, but RoundCube still refused, now with these messages:

 PHP Error: Failed to connect socket: Connection refused
 SMTP Error: Connection failed:  (Code: -1)

Anyone used to developing clients know that Connection refused means the port is not available, either because nothing is listening there or because there's a firewall, but the port was open and there was no firewall involved; and, again, K9 connected just fine. I even stopped apache2 and run strace apache -X while turning on debugging logs in Postfix and I could actually see RoundCube properly connect but issue a QUIT command right after connection.

RoundCube makes a little bit of a mess with the configuration around encryption. There's a setting that is called smtp_host; at least that's how Debian writes config.inc.php. In that setting you have to put the address or the name of the server that RoundCube should use for sending emails. If you don't put any protocol in the URI, it will assume the protocol is SMTP. The second option is using explicit encryption with StartTLS. Unluckily the RoundCube decided to use tls:// as the protocol for that. The third option, which is called implicit encryption, is currently using TLS, which superseeded SSL, but RoundCube's protocol for that is ssl:// and not tls://.

That's the first source of confusion; the second source of confusion is that the Debian configuration file lists the setting as smtp_host, but if you check RoundCube's documentation, it's smtp_server. In fact, RoundCube seems to accept both, but when you're writing the configuration file and reading documentation at the same time, it's just confusing.

Debian by default uses tls://localhost:576, and confused with the TLS/SSL thing explained before, I changed it to tls://localhost:465. Once I figured the TLS/SSL thing, I used ssl://localhost:465, but still no cigar. By this time I was in the ##email@libera.chat IRC channel, and someone pointed out that it was maybe the fact that the Let's Encrypt certificate does not cover localhost. And that was it, I changed the URI to point to the FQDN of the certificate and it worked.

To be honest, when K9 connected to both IMAP and submissions, it complained about the cert (I was connecting via IP), but I told it to ignore that. RoundCube, instead, just complained it couldn't connect and lead me into the wrong rabbit hole.

My main email workflow will continue to be through my laptop, so the next step is to synchronize my laptop emails with the server. mbsync in the isync package seems to be the answer, but that's a story for another time.