Roundcube should be configured with strict TLS, secure plugin policy, and controlled IMAP/SMTP integration.
¶ Main configuration file
Primary file: config/config.inc.php
Example baseline:
<?php
$config['db_dsnw'] = 'mysql://roundcube:replace-with-strong-password@127.0.0.1/roundcube';
$config['imap_host'] = 'tls://mail.example.com:993';
$config['smtp_host'] = 'tls://mail.example.com:587';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['des_key'] = 'replace-with-random-24-byte-key';
- Enforce HTTPS and secure cookie flags.
- Disable unused plugins and install updates promptly.
- Restrict admin/plugin file write permissions.
- Configure brute-force protection at reverse proxy layer.
- Use dedicated service DNS names for IMAP/SMTP.
- Validate DKIM/SPF/DMARC alignment at mail platform level.
- Keep timezone and locale defaults consistent.
¶ Backup and recovery
Back up:
- Roundcube DB
config/ and custom plugins/skins
Recovery test:
- Restore DB and config.
- Login with test mailbox.
- Send and receive verification mail.
- IMAP/SMTP auth failures monitored.
- Web and PHP error logs reviewed.
- Backup restore tested.
- Plugin compatibility verified before upgrades.
Feel free to contact us. Find all contact information on our contact page.