Install Roundcube Webmail on Ubuntu 20.04 with Apache/Nginx

Roundcube is a free and open source webmail client written in PHP. A webmail is a mail client in your browser, which means instead of reading and sending emails from a desktop mail client like Mozilla Thunderbird, you can access your email from a web browser. Roundcube functionality includes MIME support, address book, folder management, message searching, message filter and spell checking. This tutorial is going to show you how to install Roundcube webmail on Ubuntu 20.04 with Apache or Nginx web server.

Roundcube 1.4 Release

Roundcube 1.4 was released on November 10, 2019 after two years of development. This release features:

  • A responsive skin called Elastic with full mobile device support
  • Email Resent (Bounce) feature
  • Improved Mailvelope integration
  • Support for Redis and Memcached cache
  • Support for SMTPUTF8 and GSSAPI
  • Plus numerous improvements and bug fixes


To follow this tutorial, it’s assumed that

If not, please click the above links and follow the instructions to complete prerequisites. Note that if you set up your email server using iRedMail before, then you server meets all requirements and Roundcube is already installed on your server.

Now let’s proceed to install Roundcube.

Step 1: Download Roundcube Webmail on Ubuntu 20.04

Log in to your Ubuntu server via SSH, then run the following command to download the latest 1.4 stable version from Roundcube Github repository.


Note: You can always use the above URL format to download Roundcube from command line. If a new version comes out, simply replace 1.4.3 with the new version number. You can check if there’s new release at Roundcube downloade page.

Extract the tarball, move the newly created folder to web root (/var/www/) and rename it as roundcube at the same time.

tar xvf roundcubemail-1.4.3-complete.tar.gz

sudo mv roundcubemail-1.4.3 /var/www/roundcube

Step 2: Install Dependencies

Run the following command to install required PHP extensions.

sudo apt install php-net-ldap2 php-net-ldap3 php-imagick php7.4-common php7.4-gd php7.4-imap php7.4-json php7.4-curl php7.4-zip php7.4-xml php7.4-mbstring php7.4-bz2 php7.4-intl php7.4-gmp

Install Composer, which is a dependency manager for PHP.

sudo apt install composer

Change into the roundcube directory.

cd /var/www/roundcube

Use Composer to install all needed dependencies (3rd party libraries) for Roundcube Webmail.

composer install --no-dev

If you see the nothing to install or update message, then all dependencies are installed.


Make the web server user (www-data) as the owner of the temp and logs directory so that web server can write to these two directories.

sudo chown www-data:www-data temp/ logs/ -R

Step 3: Create a MariaDB Database and User for Roundcube

Log into MariaDB shell as root.

sudo mysql -u root

Then create a new database for Roundcube using the following command. This tutorial name it roundcube, you can use whatever name you like for the database.


Next, create a new database user on localhost using the following command. Again, this tutorial name it roundcubeuser, you can use whatever name you like. Replace password with your preferred password.

CREATE USER roundcubeuser@localhost IDENTIFIED BY 'password';

Then grant all permission of the new database to the new user so later on Roundcube webmail can write to the database.

GRANT ALL PRIVILEGES ON roundcube.* TO roundcubeuser@localhost;

Flush the privileges table for the changes to take effect.

flush privileges;

Exit MariaDB Shell:


Import the initial tables to roundcube database.

sudo mysql roundcube < /var/www/roundcube/SQL/mysql.initial.sql

Step 4: Create Apache Virtual Host or Nginx Config File for Roundcube


If you use Apache web server, create a virtual host for Roundcube.

sudo nano /etc/apache2/sites-available/roundcube.conf

Note: If you followed my Postfix/Dovecot tutorial, a virtual host already exists. you should edit the following file.

sudo nano /etc/apache2/sites-available/

Put the following text into the file. Replace with your real domain name and don’t forget to set DNS A record for it.

<VirtualHost *:80>
  DocumentRoot /var/www/roundcube/

  ErrorLog ${APACHE_LOG_DIR}/roundcube_error.log
  CustomLog ${APACHE_LOG_DIR}/roundcube_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All

  <Directory /var/www/roundcube/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all


Save and close the file. Then enable this virtual host with:

sudo a2ensite roundcube.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Now you should be able to see the Roundcube web-based install wizard at


If you use Nginx web server, create a virtual host for Roundcube.

sudo nano /etc/nginx/conf.d/roundcube.conf

Note: If you followed my Postfix/Dovecot tutorial, a virtual host already exists. you should edit the following file.

sudo nano /etc/nginx/conf.d/

Put the following text into the file. Replace the domain name and don’t forget to set DNS A record for it.

server {
  listen 80;
  listen [::]:80;
  root /var/www/roundcube/;
  index index.php index.html index.htm;

  error_log /var/log/nginx/roundcube.error;
  access_log /var/log/nginx/roundcube.access;

  location / {
    try_files $uri $uri/ /index.php;

  location ~ \.php$ {
   try_files $uri =404;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

  location ~ /.well-known/acme-challenge {
    allow all;
    deny all;
  location ~ ^/(bin|SQL)/ {
    deny all;
 # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;

Save and close the file. Then test Nginx configurations.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Now you should be able to see the Roundcube web-based install wizard at

Step 5: Enabling HTTPS

It’s highly recommended that you use TLS to encrypt your webmail. We can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 20.04 server.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d

If you use Apache, install the Certbot Apache plugin.

sudo apt install python3-certbot-apache

And run this command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d


  • --nginx: Use the nginx plugin.
  • --apache: Use the Apache plugin.
  • --agree-tos: Agree to terms of service.
  • --redirect: Force HTTPS by 301 redirect.
  • --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

roundcube webmail https letsencrypt

Note: If you followed my Postfix/Dovecot tutorial, and now you install Roundcube on the same server, then certbot will probably tell you that a certificate for already exists as shown below, so you can choose to install the existing TLS certificate to your web server configuration file.

roundcube postfix dovecot certbot https certificate

Step 6: Finish the Installation in Web Browser

In your web browser, go to the Roundcube installer page.

The web installer will first check if PHP extensions, database and 3rd party libraries are installed. If you follow this tutorial, then all requirements should be met.


Click Next button. In the 2nd page, go to the Database setup section. You need to fill in MariaDB database details that you created in step 3.

roundcube mariadb user

The IMAP and SMTP section allows you to configure how to receive and submit email. Enter the following values for IMAP.

  • IMAP host: ssl:// port: 993

Enter the following values for SMTP settings.

  • SMTP port: tls:// port: 587

roundcube smtp settings

Next, you can scroll down to the Plugins section to enable some plugins. For example the password plugin, mark as junk plugin, and so on. I enabled all of them.

roundcube enable plugins

Once that’s done, click create config button which will create configuration based on the information you entered. You need to copy the configuration and save it as under the /var/www/roundcube/config/ directory.

roundcube webmail installer

Once the file is created, click continue button. In the final step, test your SMTP and IMAP settings by sending a test email and checking IMAP login.

roundcube webmail test smtp & imap config

If the test fails, then you can click the 2. Create config link on the top of page to go back to step 2 and recreate the file.

If test is successful, go to your Webmail domain without /installer and login.

roundcube webmail elastic skin

Roundcube Webmail interface

roundcube ubuntu server apache nginx

Now you should remove the whole installer folder from the document root or make sure that enable_installer option in file is disabled.

sudo rm /var/www/roundcube/installer/ -r

These files may expose sensitive configuration data like server passwords and encryption keys to the public. Make sure you cannot access the installer page from your browser.

Step 7: Configure the Sieve Message Filter

You can create folders in Roundcube webmail and then create rules to filter email messages into different folders. In order to do this, you need to install the ManageSieve server with the following command.

sudo apt install dovecot-sieve dovecot-managesieved

By default, Postfix uses its builtin local delivery agent (LDA) to move inbound emails to the message store (inbox, sent, trash, Junk, etc). We can configure it to use Dovecot to deliver emails, via the LMTP protocol, which is a simplified version of SMTP. LMTP allows for a highly scalable and reliable mail system and it is required if you want to use the sieve plugin to filter inbound messages to different folders.

Install the Dovecot LMTP Server.

sudo apt install dovecot-lmtpd

Edit the Dovecot main configuration file.

sudo nano /etc/dovecot/dovecot.conf

Add lmtp and sieve to the supported protocols.

protocols = imap lmtp sieve

Save and close the file. Then edit the Dovecot 10-master.conf file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change the lmtp service definition to the following.

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix

Next, edit the Postfix main configuration file.

sudo nano /etc/postfix/

Add the following lines at the end of the file. The first line tells Postfix to deliver emails to local message store via the dovecot LMTP server. The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

Save and close the file. Open the /etc/dovecot/conf.d/15-lda.conf file.

sudo nano /etc/dovecot/conf.d/15-lda.conf

Scroll to the end of the file, uncomment the mail_plugins line and add the sieve plugin to local delivery agent (LDA).

protocol lda {
    # Space separated list of plugins to load (default is global mail_plugins).
    mail_plugins = $mail_plugins sieve

Save and close the file. If you can find the 20-lmtp.conf file under /etc/dovecot/conf.d/ directory, then you should also enable the sieve plugin in that file like below.

protocol lmtp {
      mail_plugins = quota sieve

Edit the /etc/dovecot/conf.d/10-mail.conf file.

sudo nano /etc/dovecot/conf.d/10-mail.conf

Sieve scripts are stored under each user’s home directory. If you followed my PostfixAdmin tutorial and are using virtual mailbox domains, then you need to enable mail_home for the virtual users by adding the following line in the file, because virtual users don’t have home directories by default.

mail_home = /var/vmail/%d/%n

Save and close the file.

Finally, restart Postfix and Dovecot.

sudo systemctl restart postfix dovecot

Now you can go to Roundcube webmail, open an email message and click the more button and select create filters to create message filters. For example, I create a filter that moves every email sent from to the Red Hat folder.

roundcube sieve filter

Step 8: Adding Local DNS Entry

It’s recommended to edit the /etc/hosts file and add the following entry, so that Roundcube won’t have to query the public DNS, which will speed up web page loading a little bit.  localhost

Step 9: Removing Sensitive Information from Email Headers

By default, Roundcube will add a User-Agent email header, indicating that you are using Roundcube webmail and the version number. You can tell Postfix to ignore it so recipient can not see it. Run the following command to create a header check file.

sudo nano /etc/postfix/smtp_header_checks

Put the following lines into the file.

/^User-Agent.*Roundcube Webmail/            IGNORE

Save and close the file. Then edit the Postfix main configuration file.

sudo nano /etc/postfix/

Add the following line at the end of the file.

smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

Save and close the file. Then run the following command to rebuild hash table.

sudo postmap /etc/postfix/smtp_header_checks

Reload Postfix for the change to take effect.

sudo systemctl reload postfix

Now Postfix won’t include User-Agent: Roundcube Webmail in the headers when sending outgoing emails.

Step 10: Configure the Password Plugin in Roundcube

Roundcube includes a password plugin that allows users to change their password from the webmail interface. However, we need to configure it before it will work. Run the following command to copy the distributed password plugin config file to a new file.

sudo cp /var/www/roundcube/plugins/password/ /var/www/roundcube/plugins/password/

Edit the password plugin configuration file.

sudo nano /var/www/roundcube/plugins/password/

Find the following line:

$config['password_db_dsn'] = '';

This parameter is used to tell the password plugin where the user passwords are stored. By default, the value is empty and it will query the roundcube database, which doesn’t store user passwords. If you followed my PostfixAdmin tutorial, then user passwords are stored in the postfixadmin.mailbox table, so we need to change the value to:

$config['password_db_dsn'] = 'mysql://postfixadmin:postfixadmin_database_password@';

The tells the password plugin to connect to the postfixadmin database. If you don’t remember your postfixadmin database password, you can find it in the /etc/dovecot/dovecot-sql.conf.ext file.

Then find the following line.

$config['password_query'] = 'SELECT update_passwd(%c, %u)';

Change it to the following.

$config['password_query'] = "UPDATE mailbox SET password=%D,modified=NOW() WHERE username=%u";

I recommend enabling a password strength checker to prevent users from setting week passwords. Go to the beginning of this file, you can find the following line.

$config['password_strength_driver'] = null;

We can use the zxcvbn password strength driver, so change it to:

$config['password_strength_driver'] = 'zxcvbn';

Add the following line in this file to allow strong passwords only.

$config['password_zxcvbn_min_score'] = 5;

Note: The $config['password_minimum_score'] parameter doesn’t work with the zxcvbn driver, so leave it alone.

You can also set a minimum length for the password. Find the following line.

$config['password_minimum_length'] = 0;

Change it to:

$config['password_minimum_length'] = 8;

Recall that we used the ARGON2I password scheme in the PostfixAdmin tutorial, so we also need to configure the password plugin to use ARGON2I. Find the following lines in the file.

$config['password_algorithm'] = 'clear';

By default, the password will be stored as clear text, change the value to the following to use Dovecot’s builtin password algorithm.

$config['password_algorithm'] = 'dovecot';

Then find the following line, which tells where the Dovecot’s password hash generator is located.

$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x

Change it to the following.

$config['password_dovecotpw'] = '/usr/bin/doveadm pw -r 5';

Then find the following line, which tells which password scheme will be used.

$config['password_dovecotpw_method'] = 'CRAM-MD5';

Change it to:

$config['password_dovecotpw_method'] = 'ARGON2I';

Find the following line.

$config['password_dovecotpw_with_method'] = false;

Change false to true. This will add a {ARGON2I} prefix to the hashed password, so you will recognize which password scheme is used.

$config['password_dovecotpw_with_method'] = true;

Save and close the file. Since this file contains the database password, we should allow only the www-data user to read and write to this file.

sudo chown www-data:www-data /var/www/roundcube/plugins/password/
sudo chmod 600 /var/www/roundcube/plugins/password/

Now users should be able to change their passwords in the Roundcube webmail interface.

roundcube webmail change password

Wrapping Up

I hope this tutorial helped you install Roundcube Webmail on Ubuntu 20.04. As always, if you found this post useful, subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 0 Average: 0]

5 Responses to “Install Roundcube Webmail on Ubuntu 20.04 with Apache/Nginx

  • Brandon
    4 weeks ago

    This doesn’t play nicely with the other tutorials that suggest using ARGON2I password hashing, because roundcube doesn’t support it.
    To make the password change plugin work properly, you’d have to use one of the functions the plugin supports.
    From plugins/password/

    // Default password hashing/crypting algorithm.
    // Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
    // sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, ssha512, samba, ad, dovecot, clear.

    If you attempt to use ARGON2I it will complain that the function doesn’t exist.

  • Brandon
    4 weeks ago

    I did try using the ‘dovecot’ option for password_algorithm.

    $config['password_algorithm'] = 'dovecot';
    $config['password_dovecotpw'] = '/usr/bin/doveadm pw';
    $config['password_dovecotpw_method'] = 'ARGON2I';
    $config['password_dovecotpw_with_method'] = true;

    However, this still complains with:

    Could not save new password.
    Encryption function missing.

    Unless I’m missing something, it seems this just won’t work unless you switch your hashing method to one roundcube supports.

    • After I examine my file, it’s true that I forgot to include the instruction to configure password algorithm (or password scheme). I just updated step 10.

      The only difference with your configuration is I use

      $config['password_dovecotpw'] = '/usr/bin/doveadm pw -r 5';

      Instead of

      $config['password_dovecotpw'] = '/usr/bin/doveadm pw';

      It’s working flawlessly on my mail server.

  • Harrison
    3 weeks ago

    Hi! Thank you very much for the tutorials you provide. I am wondering if it’s possible to allow users to register for free on my own mail server. Just like what Gmail is providing. Thanks awaiting your response.

  • Hi! Excellent tutorials!

    How would one go about configuring roundcube (on the same server with: postfix, dovecot and postfixadmin) running behind haproxy?

    SSL is terminated in haproxy and roundcube is running on the mail server.
    Ports 587 and 993 are forwarded respectively as send-proxy and send-proxy-v2 to the mail server.
    Postfix is listening to 10587(STARTTLS) and dovecot to 10993(SSL) on the mail server.

    Just can’t get a connection from roundcube to smtp and imap. Everything else is running smoothly thanks to your tutorials! Any advice would be much appreciated. Cheers!

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.