miab-customwebmailhost/README.md

# Custom Hostname for Mail-In-A-Box Webmail (Roundcube)

Typically when you access webmail for MIAB systems it's `hostname/mail`. That's neat and all...but I've complicated things by the fact the server running
my MIAB installation isn't the same as my main webserver, so this winds up being `mail.hostname/mail`.

But what if I wanted `webmail.hostname`?

## Custom configs "not supported".

One of the upsides with MIAB is that it does everything for you...even more so if you let it run as the NS server for your domain. Even if you have to punch
in all the records to your existing server, it configures the mta-sts and DKIM stuff for you. This comes at a price as virtually every single configuration
is locked-down and overwritten frequently. So any nginx config changes you make will disappear...that is, except for `/etc/sites-available` stuff. After 
studying the various scripts that run this thing, it doesn't seem to make any changes to confs in this directory; instead it just modifies the main nginx
conf file and sticks host names in there. Thankfully...that doesn't disable nginx from reading custom hosts as normal. So we can just create the hostname in
our DNS records and load as normal.

### /etc/nginx/sites-available/webmail.conf

```
server {

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php;

        server_name webmail.domain;


        rewrite ^/mail$ /mail/ redirect;
        rewrite ^/mail/$ /mail/index.php;
        location = / {
                return 301 https://webmail.domain/mail;
        }
        location /mail/ {
                index index.php;
                alias /usr/local/lib/roundcubemail/;
        }
        location ~ /mail/config/.* {
                # A ~-style location is needed to give this precedence over the next block.
                return 403;
        }
        location ~ /mail/.*\.php {
                # note: ~ has precendence over a regular location block
                include fastcgi_params;
                fastcgi_split_path_info ^/mail(/.*)()$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
                fastcgi_pass php-fpm;

                # Outgoing mail also goes through this endpoint, so increase the maximum
                # file upload limit to match the corresponding Postfix limit.
                client_max_body_size 128M;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
```

We still have to redirect `webmail.host` to `webmail.host/mail` or Roundcube won't work. Now you just need to add SSL.

## Adding SSL

You'll have to install the nginx plugin for certbot as MIAB usually does certs itself. It will not be aware of our webmail directive...and that's okay. 

`sudo apt install python3-certbot-nginx`

Then you need to run certbot as normal, making sure you pick your webmail host for cert.

`sudo certbot`

## That's All

Once SSL is installed you should be able to visit `webmail.domain` which will automatically redirect to `webmail.domain/mail` and load Roundcube.
Add A Word 1 year ago			`# Custom Hostname for Mail-In-A-Box Webmail (Roundcube)`
Initial Commit 1 year ago
			Typically when you access webmail for MIAB systems it's `hostname/mail`. That's neat and all...but I've complicated things by the fact the server running
			my MIAB installation isn't the same as my main webserver, so this winds up being `mail.hostname/mail`.

			But what if I wanted `webmail.hostname`?

			`## Custom configs "not supported".`

			`One of the upsides with MIAB is that it does everything for you...even more so if you let it run as the NS server for your domain. Even if you have to punch`
			`in all the records to your existing server, it configures the mta-sts and DKIM stuff for you. This comes at a price as virtually every single configuration`
			is locked-down and overwritten frequently. So any nginx config changes you make will disappear...that is, except for `/etc/sites-available` stuff. After
			`studying the various scripts that run this thing, it doesn't seem to make any changes to confs in this directory; instead it just modifies the main nginx`
			`conf file and sticks host names in there. Thankfully...that doesn't disable nginx from reading custom hosts as normal. So we can just create the hostname in`
			`our DNS records and load as normal.`

			`### /etc/nginx/sites-available/webmail.conf`

			```
			`server {`

			`# SSL configuration`
			`#`
			`# listen 443 ssl default_server;`
			`# listen [::]:443 ssl default_server;`
			`#`
			`# Note: You should disable gzip for SSL traffic.`
			`# See: https://bugs.debian.org/773332`
			`#`
			`# Read up on ssl_ciphers to ensure a secure configuration.`
			`# See: https://bugs.debian.org/765782`
			`#`
			`# Self signed certs generated by the ssl-cert package`
			`# Don't use them in a production server!`
			`#`
			`# include snippets/snakeoil.conf;`

			`root /var/www/html;`

			`# Add index.php to the list if you are using PHP`
			`index index.php;`

			`server_name webmail.domain;`


			`rewrite ^/mail$ /mail/ redirect;`
			`rewrite ^/mail/$ /mail/index.php;`
			`location = / {`
			`return 301 https://webmail.domain/mail;`
			`}`
			`location /mail/ {`
			`index index.php;`
			`alias /usr/local/lib/roundcubemail/;`
			`}`
			`location ~ /mail/config/.* {`
			`# A ~-style location is needed to give this precedence over the next block.`
			`return 403;`
			`}`
			`location ~ /mail/.*\.php {`
			`# note: ~ has precendence over a regular location block`
			`include fastcgi_params;`
			`fastcgi_split_path_info ^/mail(/.*)()$;`
			`fastcgi_index index.php;`
			`fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;`
			`fastcgi_pass php-fpm;`

			`# Outgoing mail also goes through this endpoint, so increase the maximum`
			`# file upload limit to match the corresponding Postfix limit.`
			`client_max_body_size 128M;`
			`}`

			`# pass PHP scripts to FastCGI server`
			`#`
			`#location ~ \.php$ {`
			`# include snippets/fastcgi-php.conf;`
			`#`
			`# # With php-fpm (or other unix sockets):`
			`# fastcgi_pass unix:/run/php/php7.4-fpm.sock;`
			`# # With php-cgi (or other tcp sockets):`
			`# fastcgi_pass 127.0.0.1:9000;`
			`#}`

			`# deny access to .htaccess files, if Apache's document root`
			`# concurs with nginx's one`
			`#`
			`#location ~ /\.ht {`
			`# deny all;`
			`#}`
			```

			We still have to redirect `webmail.host` to `webmail.host/mail` or Roundcube won't work. Now you just need to add SSL.

			`## Adding SSL`

			`You'll have to install the nginx plugin for certbot as MIAB usually does certs itself. It will not be aware of our webmail directive...and that's okay.`

			`sudo apt install python3-certbot-nginx`

			`Then you need to run certbot as normal, making sure you pick your webmail host for cert.`

			`sudo certbot`

			`## That's All`

			Once SSL is installed you should be able to visit `webmail.domain` which will automatically redirect to `webmail.domain/mail` and load Roundcube.