Configure roundcube

Modify the configuration files to finalize the install of Roundcube.

The configuration changes are intended to be identical to how Roundcube
was configured on Wheezy.  However, Jessie ships with PHP 5.6.  This
version of PHP enforces SSL certificate checking by default.  This means
using 127.0.0.1 or localhost in SSL connection strings fails.
`{{ mail_server_hostname }}` is used in these places instead.

roles/webmail/files/etc_roundcube_global.sieve

@@ -0,0 +1,11 @@
+require ["regex", "fileinto", "imap4flags"];
+# Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
+if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
+          not header :contains "X-DSPAM-Reclassified" "Innocent") {
+  # Mark as read
+  setflag "\\Seen";
+  # Move into the Junk folder
+  fileinto "Spam";
+  # Stop processing here
+  stop;
+}

roles/webmail/files/usr_share_roundcube_plugins_carddav_config.inc.php

@@ -14,7 +14,7 @@
 // $prefs['_GLOBAL']['fixed'] = true;
 
 // When enabled, this option hides the 'CardDAV' section inside Preferences.
-// $prefs['_GLOBAL']['hide_preferences'] = true;
+// $prefs['_GLOBAL']['hide_preferences'] = false;
 
 // Scheme for storing the CardDAV passwords.
 // Options:

roles/webmail/files/usr_share_roundcube_plugins_managesieve_config.inc.php

@@ -41,10 +41,10 @@ $config['managesieve_usetls'] = false;
 $config['managesieve_conn_options'] = null;
 
 // default contents of filters script (eg. default spam filter)
-$config['managesieve_default'] = '/etc/dovecot/sieve/global';
+$config['managesieve_default'] = '/etc/roundcube/global.sieve';
 
 // The name of the script which will be used when there's no user script
-$config['managesieve_script_name'] = 'managesieve';
+$config['managesieve_script_name'] = 'roundcube';
 
 // Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
 // but some implementations does not covert UTF-8 to modified UTF-7.

roles/webmail/tasks/roundcube.yml

@@ -64,10 +64,16 @@
     - twofactor_gauthenticator
 
 - name: Configure roundcube
+  template: src=etc_roundcube_config.inc.php.j2 dest=/etc/roundcube/config.inc.php
+    group=www-data
+    owner=root
+    mode=640
+    force=yes
+
+- name: Configure roundcube plugins
   copy: src={{ item.src }} dest={{ item.dest }} group=www-data owner=root mode=640 force=yes
   with_items:
   - { src: 'etc_roundcube_global.sieve',                                          dest: '/etc/roundcube/global.sieve' }
-  - { src: 'etc_roundcube_config.inc.php',                                        dest: '/etc/roundcube/config.inc.php' }
   - { src: 'usr_share_roundcube_plugins_carddav_config.inc.php',                  dest: '/usr/share/roundcube/plugins/carddav/config.inc.php' }
   - { src: 'usr_share_roundcube_plugins_managesieve_config.inc.php',              dest: '/usr/share/roundcube/plugins/managesieve/config.inc.php' }
   - { src: 'usr_share_roundcube_plugins_twofactor_gauthenticator_config.inc.php', dest: '/usr/share/roundcube/plugins/twofactor_gauthenticator/config.inc.php' }

roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

@@ -1,48 +1,61 @@
-# Those aliases do not work properly with several hosts on your apache server
-# Uncomment them to use it or adapt them to your configuration
-#    Alias /roundcube /var/lib/roundcube
+<VirtualHost *:80> 
+    ServerName {{ webmail_domain }}
 
-<Directory /var/lib/roundcube/>
-  Options +FollowSymLinks
-  # This is needed to parse /var/lib/roundcube/.htaccess. See its
-  # content before setting AllowOverride to None.
-  AllowOverride All
-  <IfVersion >= 2.3>
-    Require all granted
-  </IfVersion> 
-  <IfVersion < 2.3>
-    Order allow,deny
-    Allow from all
-  </IfVersion>
-</Directory>
+    Redirect permanent / https://{{ webmail_domain }}/
+</VirtualHost>
 
-# Protecting basic directories:
-<Directory /var/lib/roundcube/config>
-        Options -FollowSymLinks
-        AllowOverride None
-</Directory>
+<VirtualHost *:443>
+    ServerName {{ webmail_domain }}
+    SSLEngine On
 
-<Directory /var/lib/roundcube/temp>
-        Options -FollowSymLinks
-        AllowOverride None
-        <IfVersion >= 2.3>
-          Require all denied
-        </IfVersion> 
-        <IfVersion < 2.3>
-          Order allow,deny
-          Deny from all
-        </IfVersion>
-</Directory>
+    # Those aliases do not work properly with several hosts on your apache server
+    # Uncomment them to use it or adapt them to your configuration
+    Alias / /var/lib/roundcube/
 
-<Directory /var/lib/roundcube/logs>
-        Options -FollowSymLinks
-        AllowOverride None
-        <IfVersion >= 2.3>
-          Require all denied
-        </IfVersion> 
-        <IfVersion < 2.3>
-          Order allow,deny
-          Deny from all
-        </IfVersion>
-</Directory>
+    <Directory /var/lib/roundcube/>
+      Options +FollowSymLinks
+      # This is needed to parse /var/lib/roundcube/.htaccess. See its
+      # content before setting AllowOverride to None.
+      AllowOverride All
+      <IfVersion >= 2.3>
+        Require all granted
+      </IfVersion> 
+      <IfVersion < 2.3>
+        Order allow,deny
+        Allow from all
+      </IfVersion>
+    </Directory>
 
+    # Protecting basic directories:
+    <Directory /var/lib/roundcube/config>
+            Options -FollowSymLinks
+            AllowOverride None
+    </Directory>
+
+    <Directory /var/lib/roundcube/temp>
+            Options -FollowSymLinks
+            AllowOverride None
+            <IfVersion >= 2.3>
+              Require all denied
+            </IfVersion> 
+            <IfVersion < 2.3>
+              Order allow,deny
+              Deny from all
+            </IfVersion>
+    </Directory>
+
+    <Directory /var/lib/roundcube/logs>
+            Options -FollowSymLinks
+            AllowOverride None
+            <IfVersion >= 2.3>
+              Require all denied
+            </IfVersion> 
+            <IfVersion < 2.3>
+              Order allow,deny
+              Deny from all
+            </IfVersion>
+    </Directory>
+    
+    CustomLog /var/log/apache2/webmail_access.log combined 
+    ErrorLog /var/log/apache2/webmail_error.log 
+</VirtualHost>

roles/webmail/templates/etc_dbconfig-common_roundcube.conf.j2

@@ -13,23 +13,23 @@ dbc_upgrade='true'
 
 # dbc_remove: deconfigure database with dbconfig-common?
 #             set to anything but "true" to opt out of assistance
-dbc_remove='true'
+dbc_remove=''
 
 # dbc_dbtype: type of underlying database to use
 #	this exists primarily to let dbconfig-common know what database
 #	type to use when a package supports multiple database types.
 #	don't change this value unless you know for certain that this
 #	package supports multiple database types
-dbc_dbtype='mysql'
+dbc_dbtype='pgsql'
 
 # dbc_dbuser: database user
 #	the name of the user who we will use to connect to the database.
-dbc_dbuser='roundcube'
+dbc_dbuser='{{ webmail_db_username }}'
 
 # dbc_dbpass: database user password
 #	the password to use with the above username when connecting
 #	to a database, if one is required
-dbc_dbpass='ufno9vN0s04b'
+dbc_dbpass='{{ webmail_db_password }}'
 
 # dbc_dballow: allowed host to connect from
 #       only for database types that support specifying the host from
@@ -52,13 +52,13 @@ dbc_dbport=''
 
 # dbc_dbname: name of database
 #	this is the name of your application's database.
-dbc_dbname='roundcube'
+dbc_dbname='{{ webmail_db_database }}'
 
 # dbc_dbadmin: name of the administrative user
 #	this is the administrative user that is used to create all of the above
 #	The exception is the MySQL/MariaDB localhost case, where this value is
 #	ignored and instead is determined from /etc/mysql/debian.cnf.
-dbc_dbadmin='debian-sys-maint'
+dbc_dbadmin='{{ db_admin_username }}'
 
 # dbc_basepath: base directory to hold database files
 #	leave unset to use the default.  only applicable if you are

roles/webmail/templates/etc_roundcube_config.inc.php.j2

@@ -19,12 +19,8 @@ $config = array();
 // SQL DATABASE
 // ----------------------------------
 
-// Database connection string (DSN) for read+write operations
-// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
-// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
-// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
-// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
-$config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
+/* Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database ! */
+include_once("/etc/roundcube/debian-db-roundcube.php");
 
 // Database DSN for read-only operations (if empty write database will be used)
 // useful for database replication
@@ -124,7 +120,7 @@ $config['smtp_debug'] = false;
 // For example %n = mail.domain.tld, %t = domain.tld
 // WARNING: After hostname change update of mail_host column in users table is
 //          required to match old user data records with the new host.
-$config['default_host'] = 'localhost';
+$config['default_host'] = 'ssl://{{ mail_server_hostname }}:993';
 
 // TCP port used for IMAP connections
 $config['default_port'] = 143;
@@ -229,19 +225,19 @@ $config['messages_cache_threshold'] = 50;
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['smtp_server'] = '';
+$config['smtp_server'] = 'ssl://{{ mail_server_hostname }}';
 
 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))
-$config['smtp_port'] = 25;
+$config['smtp_port'] = 465;
 
 // SMTP username (if required) if you use %u as the username Roundcube
 // will use the current username for login
-$config['smtp_user'] = '';
+$config['smtp_user'] = '%u';
 
 // SMTP password (if required) if you use %p as the password Roundcube
 // will use the current user's password for login
-$config['smtp_pass'] = '';
+$config['smtp_pass'] = '%p';
 
 // SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
 // best server supported one)
@@ -420,7 +416,7 @@ $config['x_frame_options'] = 'sameorigin';
 // this key is used to encrypt the users imap password which is stored
 // in the session record (and the client cookie if remember password is enabled).
 // please provide a string of exactly 24 chars.
-$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
+$config['des_key'] = 'cQro25fVv3ruWTNh0a6Sm1Rp';
 
 // Automatically add this domain to user names for login
 // Only for IMAP servers that require full e-mail addresses for login
@@ -580,7 +576,7 @@ $config['assets_dir'] = '';
 // ----------------------------------
 
 // List of active plugins (in plugins/ directory)
-$config['plugins'] = array();
+$config['plugins'] = array('managesieve', 'carddav', 'twofactor_gauthenticator');
 
 // ----------------------------------
 // USER INTERFACE

roles/webmail/templates/etc_roundcube_debian-db.php.j2

@@ -9,10 +9,10 @@
 ## you'll probably also want to edit the configuration file mentioned
 ## above too.
 ##
-$dbuser='roundcube';
-$dbpass='ufno9vN0s04b';
+$dbuser='{{ webmail_db_username }}';
+$dbpass='{{ webmail_db_password }}';
 $basepath='';
-$dbname='roundcube';
+$dbname='{{ webmail_db_database }}';
 $dbserver='localhost';
 $dbport='';
-$dbtype='mysql';
+$dbtype='pgsql';