Roundcube alongside Nextcloud

We will run Roundcube 1.4.2 in a subfolder alongside and within Nextcloud on your existing NGINX, then we will enhance security using TOTP (2FA) + fail2ban and finally we will add Nextcloud functionality -using a carddav plugin- to embed Nextcloud contacts. To run Roundcube ( alongside and within Nextcloud (as an “external site”) your NGINX configuration has to be modified and enhanced.  But first backup your old *.conf files inside the nginx-directories. Please substitute all the red values below properly to your environment.

sudo -s
apt install php-pear unzip -y && service php7.4-fpm restart && service nginx stop
cp /etc/nginx/conf.d/nextcloud.conf /etc/nginx/conf.d/nextcloud.conf.bak

Modify the /etc/nginx/conf.d/nextcloud.conf and paste the red rows:

location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
location ^~ /emails/ {
client_max_body_size 1024M;
proxy_buffering off;
proxy_connect_timeout 3600;
proxy_max_temp_file_size 1024M;
proxy_redirect off;
proxy_request_buffering off;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
send_timeout 3600;
client_max_body_size 10240M;
location / {

Now create the new /etc/nginx/conf.d/roundcube.conf:

server {
listen default_server;
include /etc/nginx/proxy.conf;
root /var/www/;
client_max_body_size 1024M;
access_log /var/log/nginx/roundcube.access.log main;
error_log /var/log/nginx/roundcube.error.log warn;
charset utf-8;
location ^~ /emails { 
index index.php;
location ~ ^/favicon.ico$ {
root /var/www/emails/skins/default/images;
log_not_found off;
access_log off;
expires max;
deny all;
location ~ ^/emails/(bin|SQL|config|temp|logs)/ {
deny all;
location ~ /emails/\.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_index index.php;
try_files $uri =404;
location ~ /emails/\.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;

Validate your NGINX configuration

nginx -t

and if no errors will appear just restart NGINX.

service nginx restart

To get your Roundcube started (https://YOUR.DEDYN.IO/emails), you need to download and install Roundcube:

cd /usr/local/src
tar xfz roundcubemail-1.4.2-complete.tar.gz &&  mv roundcubemail-1.4.2 emails
mv emails /var/www/ && chown -R www-data:www-data /var/www/

Create a database for Roundcube:

mysql -h localhost -uroot -p -e "CREATE DATABASE emails CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; GRANT ALL PRIVILEGES on emails.* to nextcloud@localhost; FLUSH privileges"

Call Roundcube in your browser ( and walk through the configuration steps. Don’t forget to remove the folder /var/www/emails/installer afterwards.

rm -R /var/www/emails/installer && service nginx restart

If you will operate with PGP encryption you have to edit the configuration and create a key directory.

sudo -u www-data mkdir -p /var/www/emails/KEYS
sudo -u www-data cp /var/www/emails/plugins/enigma/ /var/www/emails/plugins/enigma/
sudo -u www-data vi /var/www/emails/plugins/enigma/

Change the following row to

$config['enigma_pgp_homedir'] = "KEYS";

Having Roundcube installed (/var/www/emails) we will start harden roundcube using TOTP (2FA). Please logout from roundcube and ensure having switched into sudo mode and change into roundcube’s plugin directory:

cd /var/www/emails/plugins

Then download the TOTP-app from github:

git clone

Logout from roundcube and edit the main configuration to enable TOTP:

sudo -u www-data vi ../config/

Add twofactor_gauthenticator to the plugins-section:

$config['plugins'] = array('enigma', 'twofactor_gauthenticator', 'markasjunk', 'newmail_notifier', 'zipdownload');

Save and quit the file (:wq!) and logon to your roundcube instance. Then activate twofactor_gauthenticator in the settings-panel:

If you paste your Nextcloud secret and apply these settings you may logon to Roundcube using the same 2FA as for Nextcloud. Logout and re-login to roundcube again. From now your account is even more secure using a second factor for authentication.


Logout from roundcube and go ahead witht the implementation of fail2ban to prevent bruteforce attacks. Change to the plugin-directory again:

cd /var/www/emails/plugins

Download and extract the fail2ban-plugin:

unzip 1.3 && rm

Then rename the plugin to fail2ban:

mv rc-plugin-fail2ban-1.3 fail2ban && chown -R www-data:www-data /var/www/emails

Create the fail2ban configuration for roundcube:

vi /etc/fail2ban/jail.d/roundcube.local

Add the following rows:

backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = roundcube
maxretry = 5
bantime = 1800
findtime = 36000
logpath = /var/www/emails/logs/errors.log

Save and quit the file (:wq!) and create the roundcube filter expressions for fail2ban:

vi /etc/fail2ban/filter.d/roundcube.conf

Add the following rows:

failregex = IMAP Error: Login failed for .* from <HOST>
ignoreregex =

Logout from roundcube and edit the main configuration to enable fail2ban:

sudo -u www-data vi ../config/

Add fail2ban‘ to the plugins-section:

$config['plugins'] = array('enigma', 'fail2ban', 'twofactor_gauthenticator', 'markasjunk', 'newmail_notifier', 'zipdownload');

Restart fail2ban:

sudo -u www-data touch /var/www/emails/logs/errors.log && service fail2ban restart

Logon to your roundcube instance. Then verify fail2ban is working as expected.

fail2ban-client status nextcloud && fail2ban-client status roundcube

Re-logon to Nextcloud and roundcube using wrong credentials once. Then open the fail2ban-status again:

fail2ban-client status nextcloud && fail2ban-client status roundcube

If you’ll find e.g. “currently failed: 1” twice your Nextcloud and roundcube was successfully hardened with TOTP and fail2ban. At least we will add Nextcloud contacts to our roundcube instance using the carddav plugin. But first logout from roundcube again.

mkdir -p /var/www/emails/plugins/carddav
cd /var/www/emails/plugins/carddav/
tar -xjf carddav-3.0.1.tar.bz2 -C /var/www/emails/plugins
rm -f carddav-3.0.1.tar.bz2
cp -p /var/www/emails/plugins/carddav/ /var/www/emails/plugins/carddav/

Download any required binaries using curl and composer:

curl -sS | php
php7.4 composer.phar update && php7.4 composer.phar install

Then modify hide_preferences, pwstore_scheme and suppress_version_warning to the red values and if necessary remove the leading slashes:

sudo -u www-data vi
$prefs['_GLOBAL']['hide_preferences'] = false;
$prefs['_GLOBAL']['pwstore_scheme'] = 'encrypted';
$prefs['_GLOBAL']['suppress_version_warning'] = false;

Save and quit the file (:wq!) and edit roundcube’s main configuration:

sudo -u www-data vi ../../config/

Add ‘carddav‘ to the plugins-section:

$config['plugins'] = array('carddav', 'enigma', 'fail2ban', 'twofactor_gauthenticator', 'markasjunk', 'newmail_notifier', 'zipdownload');

Save and quit the file (:wq!) and apply the proper permissions

chown -R www-data:www-data /var/www

Logon to your roundcube instance again and you will find the carddav option in roundcube’s settings panel.

The carddav-url looks like:


Please fill in your url and your app-password from your Nextcloud. If configured properly the configuration will appear as:

Congrats – you’re done!

My twins, my wife and me do really appreciate any donation!
My twins, my wife and me do really appreciate any donation!

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 15 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.