Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / Roundcube
posted at 02. Jul '17

Roundcube Update From Debian Jessie to Stretch (8 -> 9)

Guess what I did the whole weekend….yes, I was updating Jessie to Stretch. In some ways it was a bit painful and I’m happy it’s over. I just need to set up Let’s Encrypt.


However updating Roundcube was pain (1.1.x -> 1.2.6). Here is what you should do:

  1. update roundcube package (apt-get upgrade)
  2. there will be a dialog about conflict in files - keep installed current version
  3. the update script will copy a new version of conflicting files into /etc/roundcube with .dist-new extension, i.e. defaults.inc.php.dist-new. You should update config.inc.php, defaults.inc.php and htaccess
  4. diff it!, i.e. diff defaults.inc.php defaults.inc.php.dist-new and copy new configuration options manually into the old file
  5. run database migrations 2014042900.sql, 2015030800.sql, 2015111100.sql by hand from /usr/share/roundcube/SQL/mysql. For postgres, mssql, sqlite or oracle go to respective folders. I did it via phpmyadmin (sigh)
  6. Stretch has PHP7, so I removed PHP5 altogether. Update <IfModule mod_php5.c> with <IfModule mod_php7.c> in /etc/roundcube/htaccess
  7. Restart Apache with systemctl restart apache2 and it should work now


Well, there are things not to do or be careful:

  • manual upgrade from https://github.com/roundcube/roundcubemail/wiki/Upgrade#run-the-installer doesn’t work. Forget about installer
  • /usr/share/roundcube/bin/update.sh doesn’t work. With some hacking it will, but won’t be useful since we’ve merged our config manually anyways
  • /usr/share/roundcube/bin/updatedb.sh also doesn’t work and I wasn’t able to get it working. This should migrate the database. Fuck this, I was really disappointed…and enraged

Apache 2 pitfalls


Uncommenting this useful setting is fine and works

<Directory />
   AllowOverride None
   Require all denied

However keep this commented out. Roundcube will get stuck with it:

#Header set X-Frame-Options: "sameorigin"

Apache config https://cipherli.st/

SSL configuration from cipherli.st is the best and ultra paranoid. However I removed HSTS (my SSL certs are self signed).

And comment out X-Frame-Options:

#Header always set X-Frame-Options DENY

That will break Roundcube for sure. When I think about it the option in security.conf could work….but I don’t have energy to tinker with it anymore.

So the whole file /etc/apache2/conf-enabled/ssl-settings.conf contains this:

# https://cipherli.st/
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off


That’s all guys. I’m really exhausted after two days and I need to chill now….

Add Comment