Roundcube has frequent security fixes. Harden both the app config and the mail stack around it (IMAP/SMTP/TLS), and patch quickly when Roundcube security releases are published.
¶ 1) Track and apply Roundcube security releases fast
- Keep production on maintained branches and apply security releases immediately.
- Prioritize fixes for recent XSS/info-disclosure and deserialization issues.
- Remove old installation files and stale plugin code after upgrades.
- Test mail compose, attachment preview, and settings pages after patching.
- Set explicit
trusted_hosts to your public webmail hostname.
- Set a long random
des_key and rotate it during incident response windows.
- Enforce
force_https = true and secure cookie behavior at reverse proxy.
- Disable installer and development/debug features in production.
¶ 3) Reduce attack surface in plugins and content handling
- Disable unused plugins; keep only business-required plugins enabled.
- Block execution in temp/upload locations and keep them outside web root where possible.
- Restrict external image loading for untrusted messages if policy requires it.
- Enforce tight upload limits and scan attachments server-side.
¶ 4) Protect backend credentials and transport
- Use dedicated DB user with least privileges.
- Enforce TLS for IMAP/SMTP and DB links where supported.
- Restrict IMAP/SMTP hosts to private network paths.
- Store secrets in root-readable config only.
¶ Verification commands
grep -E "trusted_hosts|des_key|force_https|enable_installer" /var/www/roundcube/config/config.inc.php
sudo ss -tulpn | grep -E ':443|:993|:465|:587'
find /var/www/roundcube -type d \( -name installer -o -name temp -o -name logs \) -maxdepth 3 -ls
- Roundcube security news: https://roundcube.net/news/
- Roundcube repository/advisories: https://github.com/roundcube/roundcubemail/security
- Roundcube wiki/configuration: https://github.com/roundcube/roundcubemail/wiki
- GitHub advisory example (CVE-2025-49113): https://github.com/advisories/GHSA-8j8w-wwqc-x596