Installing Roundcube webmail

I’ll let you in on a little secret – you don’t need to install Roundcube to get webmail. That’s right – browsing to http://webmail.example.com should redirect you to https://example.com:20000, which is the default port for Usermin. Usermin basically grants users access to their e-mail. That being said, Roundcube is a much nicer webmail implementation – and I highly suggest installing it.

Virtualmin includes an installation script for Roundcube that makes this step a breeze. Let’s start by pointing our browser to our Virtualmin installation (https://mail.example.com:10000) and logging in with root credentials.

In the left navigation pane, click the “Install scripts” link. On the “Available scripts” tab, in the “Email” section, you’ll see the Roundcube script. Select this script, then click the “Show Install Options”.

I like for my webmail to be available at http://example.com/mail, so I’m going to change the “Install sub-directory under public_html” value from “roundcube” to “mail”. Click the “Install Now” button.

Upon completion of the Roundcube installation, you should be able to browse to http://example.com/mail, log in with your credentials, and gain access to your mailbox via webmail.

Now would be a good time to send that e-mail message to check-auth@verifier.port25.com to verify your DKIM configuration. They’ll give you information on other identifying protocol compliance, too, like checking your SPF record.

Speaking of, let’s create an SPF record.

Creating an SPF record

An SPF record is simply a specially crafted TXT DNS record. There are numerous SPF generators available online – I’ll use Microsoft’s in this example. Browse to the Sender ID Framework SPF Record Wizard and answer a few questions. They’ll provide you the necessary information to add to a DNS TXT record.

Conveniently, Microsoft seemed to take their generator offline for maintenance around the same time I published this article. I’ve found another generator that I feel does a better job of explaining each of the steps. Start generating your SPF record here.

Let’s assume the following:

• Our Linode server has a hostname.domainname of mail.example.com
• We have two domains we’ve added via Virtualmin – example.com and anotherdomain.com
• We are creating an SPF record for mail sent from a user at example.com, such as newuser@example.com

Once we generate the SPF record we’ll need to add it as a DNS TXT record pointing to the domain from which the e-mail is sent, not the domain of the mailserver. In this example, we’re adding an SPF record for example.com. I buy my domains from GoDaddy.com, so I’ll give examples of how to configure your DNS through their interface.

First, let’s create our SPF record. Starting at xNode’s generator page, we need to specify ALL the IP addresses that may send mail from example.com. If you only have this one server, and aren’t spreading your mail service load across multiple servers, then simply enter the IPv4 address of your server. You can find this information in your Linode Manager–> Linode–> Dashboard–> Remote Access. If you’re entering multiple addresses, separate them with a space.

Next, we need to add all the IPv6 addresses of servers mailing on your example.com domain’s behalf. Again, if you aren’t load-balancing e-mail services and only have the one server, simply enter the IPv6 address of your server. Not surprisingly, you can find this information in your Linode Manager–> Linode–> Dashboard–> Remote Access. If adding multiple addresses, use a space separator.

The next section asks for all domains whose IP addresses should also be able to send mail from my domain. I entered here both example.com and anotherdomain.com, although I believe we could skip this step.

I left the next section blank. Had I specified a domain, the settings from the specified domain’s SPF record would be added to the current domain’s settings.

NOTE: Technically, you could simply click the “Create” button at the bottom without entering ANY values to create a basic SPF record that will work for most simple mail servers, so skipping any of the sections is an option.

Under the “Allow IP addresses that…” section, I left the default, which is all three options checked.

Finally, if a server tries to send mail from “example.com” but that server doesn’t match any of the criteria specified in the SPF record, then don’t allow the mail to be sent. That’s the default value of the last section.

Click the “Create” button, and you’ll see your SPF record appear at the top of the page. A default SPF record looks like “v=spf1 a mx ptr -all”.

Since I use GoDaddy.com and am familiar with their interface, I’ll use that as an example in configuring your example.com DNS records.

I already assume you’ve got at least two A records: host “@” pointing to your server’s public IP address, and “mail” – also pointing to your IP address. I also assume you’ve got at least one MX record, host “@” pointing to mail.example.com.

We now need to add a TXT record. Log into GoDaddy.com and launch your domain editor. Click the “DNS Zone File” tab, then click the “Add Record” link. In the “Add Zone Record” window, first select the type of record. Select “TXT (Text)”. In the “Host” field, enter “@”. In the “TXT Value” field, enter the record generated by the SPF generator. In the default example you’d just enter v=spf1 a mx ptr -all (note the absence of quotation marks).

Click the “Finish” button. This returns you to your domain editor. Scrolling down the page on the domain editor should produce a red “Save Changes” button. Save your changes.

You can test your SPF record at http://mxtoolbox.com. Click the “More” menu item, then locate the SPF tool. Enter your domain (example.com) and click the button. You should be presented a report indicating that SPF is properly configured.

Alternatively, we can also log into our Roundcube installation (http://example.com/mail, possibly) and send a message to check-auth@verifier.port25.com. The reply received (give it a minute) should indicate that SPF lookup was successful.

Now that our mail service is secure and we’ve installed a working implementation of Roundcube, let’s configure fail2ban to help reduce our server’s vulernabilities.