Roundcube Webmail Client

For setup documentation, please see the Roundcube Wiki. This page discusses the packaging of Roundcube.

The Roundcube Webmail client is not packaged for EPEL and I am not fond of the installation instructions from the Roundcube project, which involve using PHP Composer to manage dependencies and install it.

I do not like composer on production systems. It grabs dependencies off the web which are not managed by a package manager, you can end up with stale vulnerable dependencies.

For binary dependencies, they should be packaged as PECL modules and updated with the operating system package manager.

For script dependencies, they should packaged as PEAR packages and managed by the pear utility.

Yes, that means global installation. Proponents of Composer often spout things like ‘This means that if you already have a project that relies on a slightly older package, you are screwed.’

No, you are not screwed. Update the fucking package that relies upon an older version of the dependency.

PHP libraries are very often written by small teams in their spare time. They frequently do not spend time providing security fixes for their ‘slightly old’ let alone ‘very old’ versions. When an update to a library is made that breaks your web application, the fix is to update you web application to work with the updated dependency, not keep using the old version of the dependency that is likely receiving little if any maintenance from its maintainer.

Anyway, I do not like composer, so to install Roundcube I took the most recent Fedora RPM and made a few minor changes to the RPM spec file so it would work in CentOS 7 with the LibreLAMP packaging of PHP.

PHP PEAR Changes

The Fedora spec file has several BuildRequires for PHP PEAR modules. I do not know what the maintainer was thinking, they are not required to build the package. I commented them out. It also had some requirements for composer managed dependencies, endroid/qrcode, kolab/Net_LDAP3, and fedora/autoloader.

I have no interest in the first two and the third is only needed for the first two.

I commented those out. They are bullshit BuildRequires and are not used in the creation of the package.

The Fedora RPM also specifies Requires for several pear modules. Those are needed, but I prefer to let the pear utility manage PEAR modules, there is no point in making RPM become a man in the middle for PEAR modules.

To make sure you have what is needed, make sure to install the following PEAR modules:

  • Net_Socket
  • Auth_SASL
  • Net_IDNA2
  • Mail_Mime
  • Net_SMTP
  • Crypt_GPG
  • Net_Sieve

To install a package, as root run:

pear install packagename

The dependency will be installed.

Suggests

Newer versions of RPM have a Suggests: tag. That tag is not supported in the version of RPM that CentOS 7 ships, so I had to comment them out to build the package.

They are not required but may be useful:

  • php-enchant (spell checking)
  • php-apc (server-side caching, provided by php-pecl-apcu)
  • php-uploadprogress (not available for LibreLAMP PHP packaing)
  • php-redis (available as php-pecl-redis3 for LibreLAMP PHP packaing)
  • php-gearman (not available for LibreLAMP PHP packaing)
  • php-pam (not available for LibreLAMP PHP packaing)

I you need any of the function provided by any of the last four, let me know and I will attempt to provide the needed PECL modules.

Autoloader

Since PEAR packages are not installed in the roundcube directory, the autoloader needs to tell PHP how to load them. The autoloader script written by the Fedora maintainer assumes a Fedora ecosystem. I replaced with an autoloader that does not use the Fedora ecosystem. The Fedora ecosystem is available for CentOS 7 but it seems rather silly to install it and all its dependencies for a webmail application that only is going to use PEAR dependencies.

<?php
spl_autoload_register(
        function ($class) {
                if (strpos($class, '.') === false) {
                        $file = str_replace('_', '/', $class).'.php';
                        if ($path = stream_resolve_include_path($file)) {
                                require_once($path);
                        }
                }
        }
);
?>

The Fedora specific autoloader the above replaced also allows for globally installed script packages that are not PEAR managed, but I am not using any of them with Roundcube so that was really not needed.

LDAP Support

If you need LDAP support, you will need to install some additional components:

  • php-ldap
  • PEAR package Net_LDAP2
  • Non-PEAR package kolab/Net_LDAP3

The autoloader will also need to be updated to know how to load the kolab package. And do not be surprised if that has a bunch of dependencies of its own. Fortunately for me, LDAP was not a needed feature. I am sorry if it is for you, but I have no interest in making Roundcube work with it.

QR Code Support

Roundcube apparently has some QR Code support, though I do not know what for. If you need it, you will need to install an external PHP library called endroid/qrcode and it will need to be a version >= 1.6.5 and < 2.

Here is the github page for it: https://github.com/endroid/qr-code.

Note that the github version is at 3.2.3 but Roundcube requires versions older than 2 which are not even available on github except by a git checkout. Classic example of a dependency that very well may have security issues the developer does not care to fix, but a composer install of roundcube would have happily pulled it in.

Because composer allows the roundcube developers to ignore updates to that qrcode library, they have ignored updates to that qrcode library. As far as I am concerned the QR Code functionality of roundcube should be considered broken.

Version 1.9.3 of the qrcode library is packaged for EPEL and probably could be fudged to work if you really need it, but I recommend against it.