The Roundcube Webmail suite

Related tags

roundcubemail
Overview

Roundcube Webmail

roundcube.net

Build Status

ATTENTION

This is just a snapshot from the GIT repository and is NOT A STABLE version of Roundcube. It's not recommended to replace an existing installation of Roundcube with this version. Also using a separate database for this installation is highly recommended.

INTRODUCTION

Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder management, message searching and spell checking. Roundcube Webmail is written in PHP and requires the MySQL, PostgreSQL or SQLite database. With its plugin API it is easily extendable and the user interface is fully customizable using skins.

The code designed to run on a webserver is mainly written in PHP and Javascript. It includes a custom framework with an IMAP library derived from IlohaMail and requires a set of external libraries (see composer.json and jsdeps.json files).

INSTALLATION

For detailed instructions on how to install Roundcube webmail on your server, please refer to the INSTALL document in the same directory as this document.

If you're updating an older version of Roundcube please follow the steps described in the UPGRADING file.

BROWSER SUPPORT

Roundcube uses jQuery 3.x for its client and therefore inherits the browser support from there. This currently includes:

  • Chrome: (Current - 1) and Current
  • Edge: (Current - 1) and Current
  • Firefox: (Current - 1) and Current, ESR
  • Internet Explorer: 9+ (11+ for the Elastic skin)
  • Safari: (Current - 1) and Current
  • Opera: Current

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License (with exceptions for skins & plugins) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see www.gnu.org/licenses/.

This file forms part of the Roundcube Webmail Software for which the following exception is added: Plugins and Skins which merely make function calls to the Roundcube Webmail Software, and for that purpose include it by reference shall not be considered modifications of the software.

If you wish to use this file in another project or create a modified version that will not be part of the Roundcube Webmail Software, you may remove the exception above and use this source code under the original version of the license.

For more details about licensing and the exceptions for skins and plugins see roundcube.net/license

CONTRIBUTION

Want to help make Roundcube the best webmail solution ever? Roundcube is open source software. Our developers and contributors all are volunteers and we're always looking for new additions and resources. For more information visit roundcube.net/contribute

CONTACT

For bug reports or feature requests please refer to the tracking system at Github or subscribe to our mailing list. See roundcube.net/support for details.

You're always welcome to send a message to the project admin: hello(at)roundcube(dot)net

Issues
  • Scrolling message list obscures column headers

    Scrolling message list obscures column headers

    Reported by willm23 on 19 Sep 2005 13:32 UTC as Trac ticket #1295420

    On the message list page, the scrollbar for the message list scrolls the entire table, including the column headers.

    Suggest that the correct behaviour would be to leave the column headers and scroll the message rows themselves?

    Keywords: jquery plugin Migrated-From: http://trac.roundcube.net/ticket/1295420

    bug C: User Interface 
    opened by rcubetrac 71
  • Attachment Excessive Memory Use Error

    Attachment Excessive Memory Use Error

    Reported by JohnDoh on 12 Nov 2007 10:49 UTC as Trac ticket #1484660

    Hi,

    I know tickets have been created about this before but I cant find the exact one and many of them seem to be lost in some kind of "dupicate of" hell. I thought it was probably easier to just start a new one. I applogies if I am repeating others informaiton but I cant find the previous tickets.

    The amount of memory required to send an email with attachments seems to massivly out way the size of the attachments giving an error like:

    "Fatal error: Allowed memory size of blah bytes exhausted (tried to allocate blah bytes)"

    in the error log.

    (thrown by the quotedata() function in program/lib/Net/SMTP.php)

    Examples: required more than 64mb to send 7mb attachment or 25mb to send 5.5

    More people are now reporting this on the forum (http://roundcubeforum.net/forum/index.php?topic=1811.0)

    I know that the attachment size limits (which I think only apply to individual files, not the combined size) and the php memory limits can be altered but i dont think this counts as a solution when the difference in requirements is so great

    This still occurs in SVN890

    Thanks and sorry again if I am repeating stuff but I cant track down the previos tickets which I know exist about this exact issue.

    Keywords: pear mail mime encode memory optimize Migrated-From: http://trac.roundcube.net/ticket/1484660

    enhancement C: PHP backend 
    opened by rcubetrac 61
  • OAuth/XOauth support

    OAuth/XOauth support

    Hi All, I just got this Message from Office 365:

    `Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.

    There are several actions that you and/or your users can take to avoid service disruptions on client applications, and we describe them below. If no action is taken, client applications using Basic Authentication for EWS will be retired on October 13, 2020.`

    Is it possible to support Office 365 Oauth 2.0 By Default?

    enhancement C: IMAP C: SMTP 
    opened by rayflexcom 51
  • Add support for shared folders - patch

    Add support for shared folders - patch

    Reported by geeojr on 12 Jan 2006 01:53 UTC as Trac ticket #1403507

    I can't see shared folders with Courier. Courier-imap makes shared folders available at the root level. Root level contains: INBOX. & shared. -- need to check for both.

    Migrated-From: http://trac.roundcube.net/ticket/1403507

    enhancement C: Core functionality 
    opened by rcubetrac 49
  • Signature above original message on reply

    Signature above original message on reply

    Reported by HYS on 7 Mar 2007 12:01 UTC as Trac ticket #1484272

    Now the signature is placed completely below the body of the message. I'd like to have my signature under my answer and above the original message.

    Keywords: signature Migrated-From: http://trac.roundcube.net/ticket/1484272

    enhancement C: User Interface worksforme 
    opened by rcubetrac 46
  • GnuPG/PGP Support

    GnuPG/PGP Support

    Reported by nobody on 28 Feb 2006 15:29 UTC as Trac ticket #1440396

    This would be a nice feature, altough it could probably
    only be implemented on Unix/Linux boxes.
    

    Keywords: glu Migrated-From: http://trac.roundcube.net/ticket/1440396

    enhancement C: Plugins 
    opened by rcubetrac 45
  • HTML mails have wrong Content-Type

    HTML mails have wrong Content-Type

    The attached mail was written with the built-in message composer in mode HTML and stored as draft. Being a multipart mail the Content-Type "text/plain" is wrong. Also the boundary delimiter is not defined in the header.

    Roundcube-HTML-mail.txt

    bug C: Mail composing 
    opened by ghmail 43
  • Unvoluntary session hijacking

    Unvoluntary session hijacking

    Reported by bartd on 5 Nov 2009 11:30 UTC as Trac ticket #1486281

    Rouncube will sometimes display messages from other user's mailboxes given the fact that both users are accessing rcm from the same ip address but independent of the time in between their sessions.

    The messagelist always shows the real user's messages but the preview pane or opening the e-mail will show headers & body from another mailbox that was accessed from the same client ip address.

    I've seen cases were user B logs in 3 days after user A and somehow gets old of his old session which is reused to retrieve the messages. It only happens with users who share the same ip address, ie large corporate networks using NAT.

    using double_auth did not fix the issue. neither did upgrading to 0.3.1. Is REMOTE_ADDR somehow used to reuse sessions?

    PHP version: 5.3.1 RCM: 0.3.1 imapd: dovecot 1.2.5 through perdition browser: problem is independent of browser, has occured in IE7 and FF3 reproducable: yes and no, I've haven't been able to reproduce but it happens on a daily basis with a large userbase.

    I do have a screenshot demonstrating the problem, but I shouldn't upload it where it's publicly viewable.

    Migrated-From: http://trac.roundcube.net/ticket/1486281

    bug C: Security 
    opened by rcubetrac 43
  • Session Timeout on Compose Screen

    Session Timeout on Compose Screen

    Reported by afladmark on 11 Aug 2006 16:09 UTC as Trac ticket #1483951

    When I sit on the compose screen for a while, (on my system its less than 15 minutes) I eventually get thrown out of RoundCube (I think during an auto-save) with an error that my session has expired or is invalid. Shouldn't the Draft auto-save be keeping my session alive?

    Migrated-From: http://trac.roundcube.net/ticket/1483951

    bug C: Client Scripts 
    opened by rcubetrac 40
  • internal error on sending mail with special chars

    internal error on sending mail with special chars

    Reported by fsu on 14 Jan 2009 14:19 UTC as Trac ticket #1485687

    I got "internal error occured" -error on sending mail with scandinavian chars.

    I also made patch to fix it. it's not optimal solution but I got my webmail working again..

    Keywords: attachment Migrated-From: http://trac.roundcube.net/ticket/1485687

    bug C: PHP backend worksforme 
    opened by rcubetrac 39
  • Elastic: Accessibility difficulties (blue color)

    Elastic: Accessibility difficulties (blue color)

    Hi,

    we have a user who has difficulties distinguishing the blue highlight/accent color from the background. The sign in and send buttons and the mail count indicator on the individual folders are completely invisible to him. In the side navigation, he has difficulties identifying the the labels and icons.

    We just did some tests and he has no difficulties reading black text on the aforementioned buttons.

    His impairment is not the traditional color blindness, therefore just considering sufficient contrast between background and foreground does not help in his case.

    As he can use a mail app for reading emails, this issue is not that urgent.

    opened by chris246 0
  • New folders are created with

    New folders are created with "Sent" Icon

    I made a new folder inside "Archive" and its icon turned to the "sent" icon (paper plane). I made a new folder inside "Received" and its icon turned to the "sent" icon, too bug

    Roundcube Webmail 1.4.11 Plugins:

    additional_message_headers | 1.2.1 advanced_search | 3.4 archive | 3.4   attachment_reminder | 1.1 automatic_addressbook |   cloud_button | 1.0.2 contextmenu | 3.2.1 emoticons | 2.0 enigma | 0.8 fail2ban | 1.3 filesystem_attachments | 1.0 filters | 2.2.1 forward | -- globaladdressbook | 2.0.1 hide_blockquote | 1.0 html5_notifier | 0.6.4 identity_select | 1.1 jqueryui | 1.12.0 markasjunk | 2.0 message_list_attachment_size | -- |   |   new_user_dialog | 2.4 show_additional_headers | 2.0 show-folder-size |   subscriptions_option | 1.4 swipe | 0.4 userinfo | 1.2 vacation | -- xbackground | 1.1.8 xcalendar | 1.9.3 xemail_schedule | 1.1.4 xskin | 1.7.2 zipdownload | 3.4

    need feedback 
    opened by jgmy 2
  • [Feature Request] Hide empty folders

    [Feature Request] Hide empty folders

    For certain workflows, it would be a great productivity improvement to not show folders with 0 messages.

    enhancement C: User Interface 
    opened by 3nprob 3
  • mail list in the Elastic theme does not show message size with out hovering over a specific item

    mail list in the Elastic theme does not show message size with out hovering over a specific item

    When using the Elastic theme, one can't see the size with out hovering the mouse over the item in the list in question.

    This is bad for using it on touch screen interfaces as in general moving the mouse with out clicking/dragging is not something that is usually supported.

    need feedback 
    opened by VVelox 1
  • Make DirectAdmin driver follow the redirects

    Make DirectAdmin driver follow the redirects

    Simply just apply the following patch for drivers/directadmin.php:

    256c256,258
    < curl_setopt($ch, CURLOPT_HEADER, 1);
    ---
    > curl_setopt($ch, CURLOPT_HEADER, 1);
    > curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    > curl_setopt($ch, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL);
    
    need feedback 
    opened by smtalk 1
  • [Larry] Full message headers toggle resets in certain circumstances

    [Larry] Full message headers toggle resets in certain circumstances

    Let me explain the issue in detail.

    When using the Larry skin, there are three layout modes: "Desktop", "Widescreen", and "List". In every mode except "List", most of the message headers are hidden in the preview area. However, there is a toggle button to display more headers:

    image

    There seems to be some code in the skin's javascript file that saves the user's preferred headers display mode. However, it doesn't always work. The preference will reset as soon the user double-clicks on any message in the list to open a dedicated view. This is what this issue is about.

    I'm not entirely sure, but I think this happens because of the following code in ui.js:

    https://github.com/roundcube/roundcubemail/blob/203f45662067f783e1675fe8df04b924b55b8236/skins/larry/ui.js#L174-L176

    Here is the code of toggle_preview_headers for reference:

    https://github.com/roundcube/roundcubemail/blob/203f45662067f783e1675fe8df04b924b55b8236/skins/larry/ui.js#L737-L753

    Note the call to save_pref on line 752. This updates the preference value based on whether the entire headers are now visible. But the problem is, there is no element with id #preview-allheaders in the dedicated view. So when the script tries to toggle full headers in this view based on the preference value, it always gets reset to 0.

    I think this happens because toggle_preview_headers is called for both show and preview actions. It is quite likely that it should only be called for the preview action instead, since there is no headers toggle option in the dedicated view (i.e. show).

    bug C: User Interface 
    opened by Player701 0
  • Database schema update failed.

    Database schema update failed.

    I am installing Roundcube 1.4.11 then i got the error image

    need feedback 
    opened by mmm25002500 1
  • OAuth discovery support

    OAuth discovery support

    Hi. Currently several URIs are mandatory in the oauth configuration:

    // Mandatory: URI for OAuth user authentication (redirect)
    $config['oauth_auth_uri'] = null;
    
    // Mandatory: Endpoint for OAuth authentication requests (server-to-server)
    $config['oauth_token_uri'] = null;
    
    // Optional: Endpoint to query user identity if not provided in auth response
    $config['oauth_identity_uri'] = null;
    

    However there is an OAuth draft and a OIDC spec that define standard URLs for json files describing the server metadata, and among other things, those URLs.

    I suggest supporting those specs in roundcube, guess those URLs when possible, and make the configuration entries optional.

    What do you think?

    enhancement C: Core functionality 
    opened by azmeuk 1
  • Password plugin breaks on newest version of dovecot 2.3.16 from repo dovecot-2.3-latest

    Password plugin breaks on newest version of dovecot 2.3.16 from repo dovecot-2.3-latest

    • Roundcube 1.4.11
    • Dovecot 2.3.16
    • RHEL 8

    The password plugin was working fine with dovecot 2.3.8 but after updating to dovecot 2.3.16 the password plugin gives the error:

    Could not save new password.
    Encryption function missing.
    

    I rolled dovecot back to 2.3.8 and the plugin started working again. Re-upgraded to 2.3.16 and it broke again.

    The settings in plugins/password/config.inc.php im changing over defaults are:

    $config['password_disabled'] = false;
    $config['password_driver'] = "sql";
    $config['password_confirm_current'] = true;
    $config['password_force_save'] = true;
    $config['password_force_new_user'] = false;
    $config['password_algorithm'] = "dovecot";
    $config['password_dovecotpw_method'] = "BLF-CRYPT";
    $config['password_dovecotpw_with_method'] = false;
    $config['password_blowfish_cost'] = 12;
    $config['password_dovecotpw'] = "/usr/bin/doveadm pw";
    $config['password_db_dsn'] = "mysql://...redacted...";
    $config['password_query'] = "UPDATE accounts SET passwd=%P WHERE email=%u LIMIT 1";
    

    Checking doveadm pw -l shows:

    SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5
    

    Manually running doveadm pw -s BLF-CRYPT works:

    Enter new password:
    Retype new password:
    {BLF-CRYPT}$2y$05$H0jJ7bNXI8Plo2CYJtOpgORVjnIj/FzgxMMK3syCTTVgsRPqpu3HW
    

    Nothing shows up in any of the logs for roundcube, php-fpm or httpd. How to trouble shoot this?

    need feedback 
    opened by Github-Citizen 6
  • Don't use session's search scope if search is not active

    Don't use session's search scope if search is not active

    Note: This is not a debian package manager bug as I thought. Some stupidity on my end while trying to debug this issue led me to believe that. (See closed issue #8198). I'm reopening this issue in a new thread to minimize confusion.

    As best I can tell from looking at the code, roundcube is supposed to remember the search_scope stored in $_SESSION so that when switching between folders, the same scope is kept.

    However, when switching between folders, the search_scope is not remembered and it defaults to "base." The user is forced to refresh the page manually to get the "Seach scope" setting to the value stored in the session.

    A simple hack to the code gives me the behavior I desire (always default to search all folders because I'm using solr to perform searches which is fast):

    2696c2696
    <       this.env.search_scope = 'base';
    ---
    >       this.env.search_scope = 'all';
    

    Obviously this is not the proper fix. This code is to just illustrate the problem.

    bug C: User Interface minor 
    opened by sdondley 2
Releases(1.5-rc)
  • 1.5-rc(Jul 3, 2021)

    This is the release candidate for the next major version 1.5 of Roundcube webmail. Based on the feedback we received from the beta release and some new features from the backlog, we have now finalized the development branch to prepare the final version. See the changelog below for details.

    Some noteworthy additions since 1.5-beta are

    • Support of XOAUTH2 in Managesieve plugin
    • Support of IMAP LITERAL- extension [RFC 7888]
    • Support of RFC 2231 encoded names
    • Plugin hooks for OAuth events

    We believe it is production ready, but we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Upgrade to TinyMCE 5.8.2
    • SMTP XCLIENT support (#7893, #6411)
    • Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
    • Add configuration options for subject prefixes (#7929, #4981)
    • Support IMAP LITERAL- extension [RFC 7888] (#6878)
    • Warn the user about a potential data leak on mail bounce or forward (#7993)
    • Make the Empty action available for every non-empty folder, not only Trash (#7948)
    • Remove (incorrect) use of Return-Receipt-To header (#8069)
    • Submit various simple dialog forms with the Enter key (#7133)
    • Add RFC2231 support to rcube_mime_decode (#7390)
    • Plugin API: Allow modification of 'error' argument in message_send_error hook (#7914)
    • OAuth: add plugin hooks oauth_login and oauth_refresh_token for oauth events (#8028, #8040)
    • Debug_logger: Fix the main plugin functionality and documentation (#8041)
    • Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
    • Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
    • Enigma: Display an information that public and private keys are stored on the server (#7941)
    • Enigma: Optional support for passwordless keys (#7265)
    • Managesieve: Fix removing nested rules in scripts (#8011)
    • Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
    • Managesieve: Added ability to remove 'redirect' option from UI (#7922)
    • New_user_dialog: Use the identity_update hook (#8023)
    • Password: Fix broken 'hmail' driver (#7966)
    • Password: Set password_minimum_length to 8 by default (#8003)
    • Vcard_attachments: Improve handling of multiple contacts (#7027)
    • Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
    • Fix invalid search fields after search scope change (#6919)
    • Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
    • Fix Elastic's pretty select scroll position in Chrome (#7964)
    • Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
    • Fix PHP 8 fatal error when allowing images in an email (#7968)
    • Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
    • Fix bug where imap_conn_options settings were ignored (#7912)
    • Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
    • Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
    • Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
    • Fix so selecting the same folder to reset search resets also the page number (#7125)
    • Fix login page rendering after oauth failure (#7812,#7923)
    • Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
    • Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
    • Fix handling of multiple link references with the same index in plain text message (#8021)
    • Fix various actions on folders with angle brackets in name (#8037)
    • Fix inconsistent fowarding actions statuses on drafts (#8039)
    • Fix bug where start and reversed attributes of ol tag were ignored (#8059)
    • Fix bug where consecutive LDAP searches could return wrong results (#8064)
    • Fix bug where plus characters in attachment filename could have been ignored (#8074)
    • Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
    • Fix handling of custom sender addresses with names (#8106)
    • Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5-rc.tar.gz(3.25 MB)
    roundcube-framework-1.5-rc.tar.gz.asc(862 bytes)
    roundcubemail-1.5-rc-complete.tar.gz(7.32 MB)
    roundcubemail-1.5-rc-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5-rc.tar.gz(4.25 MB)
    roundcubemail-1.5-rc.tar.gz.asc(862 bytes)
  • 1.5-beta(Feb 25, 2021)

    This is a beta release for the next major version 1.5 of Roundcube webmail. With this milestone we introduce new features and long-awaited improvements. The most noteworthy additions are:

    • PHP 8.0 support
    • OAuth2/XOauth support
    • Dark mode for Elastic skin
    • Collected recipients and trusted senders
    • Moving recipients between inputs with drag & drop
    • Full unicode support with MySQL database
    • Cache refactoring

    Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.

    In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit:

    • bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
    • bin/cssshrink.sh: replaced yuicompressor with csso
    • Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

    This is a beta release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Require PHP >= 5.5
    • Support PHP 8.0 (#7625)
    • Require php-intl
    • Remove use of Net_IDNA2 package
    • Require GuzzleHttp\Client
    • Upgrade to TinyMCE 5.5.1
    • Upgrade to jQuery 3.5.1 (#7464)
    • Update build tools (#7800, #7804, #7497):
      • jsshrink.sh: Replace google-closure-compiler with UglifyJS
      • cssshrink.sh: Replace yuicompressor with csso
      • require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
    • Automatically collected recipients and trusted senders (#6904)
      • Added configurable Collected Recipients addressbook source (#4971)
      • Added configurable Trusted Senders addressbook source (#5046)
      • Added 'contact_exists' hook
      • Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
    • Contact form mode: private/business (#7630)
    • OAuth/XOauth support (#7425, #6933)
    • Cache refactoring (#6312)
    • Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
    • Allow array in smtp_host config (#7296)
    • Support proxy for server-side HTTP requests (#7658)
    • By default do not set the User-Agent header (#7731)
    • Add posibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
    • Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
    • Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
    • MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
    • Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
    • Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
    • Relaxed domain name validation for extended TLDs support (#5588)
    • Allow opening application/octet-stream attachments according to filename extension (#6821)
    • Added support for INSERT OR REPLACE queries (#6771)
    • Allow skins to define which layout options they support (#7235)
    • Extract RFC2231 attachment name from message headers (#6729, #6783)
    • Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
    • Change folders sorting so shared/other users namespaces are listed last (#5012)
    • Display a warning and do not try to open empty attachments (#7332)
    • Return 204 rather than 404 on missing contact photo (#7777)
    • Add 'reconnect' plugin to retry IMAP connection (#7844)
    • Plugin API: Added 'message' argument to 'message_compose_body' hook
    • Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
    • Elastic: Dark mode (#6709)
    • Elastic: Display email size on the list of messages (#7162)
    • Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
    • Elastic: Minimize forms/colors blink on page load
    • Elastic: Improve mail header "detailed mode" (#7224)
    • Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
    • Elastic: Display a special icon for other users and shared namespace roots (#5012)
    • Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
    • Elastic: Remember list checkbox selection state (#7148)
    • Elastic: Add "Open in new window" in mail compose (#7260)
    • Elastic: Make custom less files optional (#7497)
    • Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
    • Templates: Add support for expressions in object attributes (#7237)
    • Templates: Add support for nested if conditions (#6818)
    • Templates: Make [space][slash] ending of condition objects optional (#6954)
    • Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
    • Mailvelope: Add config option to use Main Keyring (#7348, #7157)
    • Mailvelope: Add config option to set the size for new keys (#7348)
    • Mailvelope: Always ask before discarding email currently being composed (#7348)
    • Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
    • Archive: Added options to split archive by year or year+month and folder (#7216)
    • Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
    • Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
    • Managesieve: Allow display name with email address in vacation :from field (#6760)
    • Managesieve: Improve UX on custom header input (#7207)
    • Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
    • Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
    • new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
    • Password: Added 'pwned' password strength driver (#7274)
    • Password: Added Mail-in-a-Box (miab) driver (#7824)
    • Password: Added TinyCP driver (#7510)
    • Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
    • Password: Added dovecot_passwdfile driver (#5786)
    • Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
    • Fix handling of address groups in email headers by ignoring their names (#7663)
    • Fix so message flags are updated on refresh also for multifolder search results (#7774)
    • Fix so IMAP ID command is send only after authentication (#7517)
    • Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
    • Fix mail search error on invalid search_mods definition (#7789)
    • Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
    • Fix ISO-2022-JP-MS encoding issues (#7091)
    • Fix so messages in threads with no root aren't displayed separately (#4999)
    • Fix so anchor tags without href attribute are not modified (#7413)
    • Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
    • Fix so allowing remote resources does not add an entry to browser history (#6620)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5-beta.tar.gz(2.02 MB)
    roundcube-framework-1.5-beta.tar.gz.asc(862 bytes)
    roundcubemail-1.5-beta-complete.tar.gz(7.22 MB)
    roundcubemail-1.5-beta-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5-beta.tar.gz(4.23 MB)
    roundcubemail-1.5-beta.tar.gz.asc(862 bytes)
  • 1.4.11(Feb 8, 2021)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.

    Security fix

    • Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

    Credits for this finding go to Mateusz Szymaniec (CERT Polska).

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Display a nice error informing about no PHP8 support
    • Elastic: Fix compatibility with Less v3 and v4 (#7813)
    • Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
    • Fix errors in MSSQL database update scripts (#7853)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.11.tar.gz(1.96 MB)
    roundcube-framework-1.4.11.tar.gz.asc(862 bytes)
    roundcubemail-1.4.11-complete.tar.gz(6.72 MB)
    roundcubemail-1.4.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.11.tar.gz(4.16 MB)
    roundcubemail-1.4.11.tar.gz.asc(862 bytes)
  • 1.4.10(Dec 27, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for a recently reported stored XSS vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fix

    • Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730]

    Credits for this finding go to Alex Birnberg.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
    • Fix folder list issue when special folder is a subfolder (#7647)
    • Fix Elastic's folder subscription toggle in search result (#7653)
    • Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
    • Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.10.tar.gz(1.96 MB)
    roundcube-framework-1.4.10.tar.gz.asc(862 bytes)
    roundcubemail-1.4.10-complete.tar.gz(6.71 MB)
    roundcubemail-1.4.10-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.10.tar.gz(4.16 MB)
    roundcubemail-1.4.10.tar.gz.asc(862 bytes)
  • 1.3.16(Dec 27, 2020)

    This is a security update to the LTS version 1.3. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

    Credits for this finding go to Alex Birnberg.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.16.tar.gz(1.20 MB)
    roundcube-framework-1.3.16.tar.gz.asc(862 bytes)
    roundcubemail-1.3.16-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.16-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.16.tar.gz(3.08 MB)
    roundcubemail-1.3.16.tar.gz.asc(862 bytes)
  • 1.2.13(Dec 27, 2020)

    This is a security update to the LTS version 1.2. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

    Credits for this finding go to Alex Birnberg.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.13.tar.gz(1.18 MB)
    roundcube-framework-1.2.13.tar.gz.asc(862 bytes)
    roundcubemail-1.2.13-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.13-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.13.tar.gz(3.50 MB)
    roundcubemail-1.2.13.tar.gz.asc(862 bytes)
  • 1.4.9(Sep 27, 2020)

    This is a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
    • Add missing localization for some label/legend elements in userinfo plugin (#7478)
    • Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
    • Fix restoring Cc/Bcc fields from local storage (#7554)
    • Fix jstz.min.js installation, bump version to 1.0.7
    • Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
    • Fix link to closure compiler in bin/jsshrink.sh script (#7567)
    • Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
    • Fix empty space on mail printouts in Chrome (#7604)
    • Fix empty output from HTML5 parser when content contains XML tag (#7624)
    • Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
    • Fix so autocompletion list does not hide on scroll inside it (#7592)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.9.tar.gz(1.96 MB)
    roundcube-framework-1.4.9.tar.gz.asc(862 bytes)
    roundcubemail-1.4.9-complete.tar.gz(6.71 MB)
    roundcubemail-1.4.9-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.9.tar.gz(4.16 MB)
    roundcubemail-1.4.9.tar.gz.asc(862 bytes)
  • 1.4.8(Aug 10, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Fix potential XSS issue in HTML editor of the identity signature input
    • Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • Fix cross-site scripting (XSS) via HTML messages with malicious math content

    Credits for the latter two findings go to Łukasz Pilorz from Pentesters.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
    • Fix support for an error as a string in message_before_send hook (#7475)
    • Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
    • Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
    • Managesieve: Allow angle brackets in out-of-office message body (#7518)
    • Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
    • Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
    • Fix incorrect rewriting of internal links in HTML content (#7512)
    • Fix handling links without defined protocol (#7454)
    • Fix paging of search results on IMAP servers with no SORT capability (#7462)
    • Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
    • Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.8.tar.gz(1.96 MB)
    roundcube-framework-1.4.8.tar.gz.asc(862 bytes)
    roundcubemail-1.4.8-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.8-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.8.tar.gz(4.16 MB)
    roundcubemail-1.4.8.tar.gz.asc(862 bytes)
  • 1.3.15(Aug 10, 2020)

    This is a security update to the LTS version 1.3. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    Credits for these findings go to Łukasz Pilorz from Pentesters.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.15.tar.gz(1.20 MB)
    roundcube-framework-1.3.15.tar.gz.asc(862 bytes)
    roundcubemail-1.3.15-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.15-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.15.tar.gz(3.08 MB)
    roundcubemail-1.3.15.tar.gz.asc(862 bytes)
  • 1.2.12(Aug 10, 2020)

    This is a security update to the LTS version 1.2. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    Credits for these findings go to Łukasz Pilorz from Pentesters.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.12.tar.gz(1.18 MB)
    roundcube-framework-1.2.12.tar.gz.asc(862 bytes)
    roundcubemail-1.2.12-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.12-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.12.tar.gz(3.50 MB)
    roundcubemail-1.2.12.tar.gz.asc(862 bytes)
  • 1.4.7(Jul 5, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fix

    Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

    Credits for this finding go to SSD Secure Disclosure.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug where subfolders of special folders could have been duplicated on folder list
    • Increase maximum size of contact jobtitle and department fields to 128 characters
    • Fix missing newline after the logged line when writing to stdout (#7418)
    • Elastic: Fix context menu (paste) on the recipient input (#7431)
    • Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
    • Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.7.tar.gz(1.96 MB)
    roundcube-framework-1.4.7.tar.gz.asc(862 bytes)
    roundcubemail-1.4.7-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.7-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.7.tar.gz(4.16 MB)
    roundcubemail-1.4.7.tar.gz.asc(862 bytes)
  • 1.3.14(Jul 5, 2020)

    This is a security update to the LTS version 1.3. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.14.tar.gz(1.20 MB)
    roundcube-framework-1.3.14.tar.gz.asc(862 bytes)
    roundcubemail-1.3.14-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.14-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.14.tar.gz(3.08 MB)
    roundcubemail-1.3.14.tar.gz.asc(862 bytes)
  • 1.2.11(Jul 5, 2020)

    This is a security update to the LTS version 1.2. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.11.tar.gz(1.18 MB)
    roundcube-framework-1.2.11.tar.gz.asc(862 bytes)
    roundcubemail-1.2.11-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.11.tar.gz(3.50 MB)
    roundcubemail-1.2.11.tar.gz.asc(862 bytes)
  • 1.4.6(Jun 7, 2020)

    This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

    It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    CHANGELOG

    • Installer: Fix regression in SMTP test section (#7417)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.6.tar.gz(1.96 MB)
    roundcube-framework-1.4.6.tar.gz.asc(862 bytes)
    roundcubemail-1.4.6-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.6-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.6.tar.gz(4.16 MB)
    roundcubemail-1.4.6.tar.gz.asc(862 bytes)
  • 1.3.13(Jun 7, 2020)

    This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

    It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    CHANGELOG

    • Installer: Fix regression in SMTP test section (#7417)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.13.tar.gz(1.20 MB)
    roundcube-framework-1.3.13.tar.gz.asc(862 bytes)
    roundcubemail-1.3.13-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.13-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.13.tar.gz(3.08 MB)
    roundcubemail-1.3.13.tar.gz.asc(862 bytes)
  • 1.4.5(Jun 2, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Fix XSS issue in template object 'username' (#7406)
    • Fix cross-site scripting (XSS) via malicious XML attachment
    • Fix a couple of XSS issues in Installer (#7406)
    • Better fix for CVE-2020-12641

    The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
    • Fix so the database setup description is compatible with MySQL 8 (#7340)
    • Markasjunk: Fix regression in jsevent driver (#7361)
    • Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
    • Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
    • Password: Fix issue with Modoboa driver (#7372)
    • Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
    • Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
    • Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
    • Fix error when user-configured skin does not exist anymore (#7271)
    • Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
    • Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
    • Security: Fix a couple of XSS issues in Installer (#7406)
    • Security: Fix XSS issue in template object 'username' (#7406)
    • Security: Fix cross-site scripting (XSS) via malicious XML attachment
    • Security: Better fix for CVE-2020-12641
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.5.tar.gz(1.96 MB)
    roundcube-framework-1.4.5.tar.gz.asc(862 bytes)
    roundcubemail-1.4.5-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.5-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.5.tar.gz(4.16 MB)
    roundcubemail-1.4.5.tar.gz.asc(862 bytes)
  • 1.3.12(Jun 2, 2020)

    This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

    Security fixes

    • Fix XSS issue in template object 'username' (#7406)
    • Fix cross-site scripting (XSS) via malicious XML attachment
    • Fix a couple of XSS issues in Installer (#7406)
    • Better fix for CVE-2020-12641

    The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

    This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    CHANGELOG

    • Security: Better fix for CVE-2020-12641
    • Security: Fix XSS issue in template object 'username' (#7406)
    • Security: Fix couple of XSS issues in Installer (#7406)
    • Security: Fix cross-site scripting (XSS) via malicious XML attachment
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.12.tar.gz(1.20 MB)
    roundcube-framework-1.3.12.tar.gz.asc(862 bytes)
    roundcubemail-1.3.12-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.12-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.12.tar.gz(3.08 MB)
    roundcubemail-1.3.12.tar.gz.asc(862 bytes)
  • 1.4.4(Apr 29, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
    • Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
    • Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
    • Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
    • Elastic: Fix color of a folder with recent messages (#7281)
    • Elastic: Restrict logo size in print view (#7275)
    • Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
    • Fix missing contact display name in QR Code data (#7257)
    • Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
    • Fix regression in testing database schema on MSSQL (#7227)
    • Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
    • Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
    • Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
    • Fix handling keyservers configured with protocol prefix (#7295)
    • Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
    • Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
    • Fix so imap error message is displayed to the user on folder create/update (#7245)
    • Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
    • Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
    • Fix characters encoding in group rename input after group creation/rename (#7330)
    • Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
    • Make install-jsdeps.sh script working without the file program installed (#7325)
    • Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
    • Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.4.tar.gz(1.96 MB)
    roundcube-framework-1.4.4.tar.gz.asc(862 bytes)
    roundcubemail-1.4.4-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.4-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.4.tar.gz(4.15 MB)
    roundcubemail-1.4.4.tar.gz.asc(862 bytes)
  • 1.3.11(Apr 29, 2020)

    This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

    Security fixes

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    CHANGELOG

    • Enigma: Fix compatibility with Mail_Mime >= 1.10.5
    • Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
    • Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
    • Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
    • Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.11.tar.gz.asc(862 bytes)
    roundcube-framework-1.4.4.tar.gz(1.96 MB)
    roundcubemail-1.3.11-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.11.tar.gz(3.08 MB)
    roundcubemail-1.3.11.tar.gz.asc(862 bytes)
  • 1.2.10(Apr 29, 2020)

    This is a security update to the LTS version 1.2. It fixes four recently reported security vulnerabilities:

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    We strongly recommend to update all productive installations of Roundcube 1.2.x. if you cannot upgrade to a more recent version. Please do backup your data before updating!

    CHANGELOG

    • Fix missing message-htmlpart1 class breaking inline CSS (#6493)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.10.tar.gz(1.18 MB)
    roundcube-framework-1.2.10.tar.gz.asc(862 bytes)
    roundcubemail-1.2.10-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.10-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.10.tar.gz(3.50 MB)
    roundcubemail-1.2.10.tar.gz.asc(862 bytes)
  • 1.4.3(Feb 19, 2020)

    This is the third service release to update the stable version 1.4 of Roundcube Webmail. It contains general fixes and improvements to the new Elastic theme as well as some core plugins like Enigma, Managesieve and Markasjunk. See the full changelog below.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Enigma: Fix so key list selection is reset when opening key creation form (#7154)
    • Enigma: Fix so using list checkbox selection does not load the key preview frame
    • Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
    • Enigma: Display IDN domains of key users and identities in UTF8
    • Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
    • Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
    • Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
    • Password: Make chpass-wrapper.py Python 3 compatible (#7135)
    • Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
    • Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
    • Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
    • Elastic: Fix text selection in recipient inputs (#7129)
    • Elastic: Fix missing Close button in "more recipients" dialog
    • Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
    • Fix regression where "Open in new window" action didn't work (#7155)
    • Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
    • Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
    • Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
    • Fix bug where files in skins/ directory were listed on skins list (#7180)
    • Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
    • Fix display issues with mail subject that contains line-breaks (#7191)
    • Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
    • Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
    • Fix using unix:///path/to/socket.file in memcached driver (#7210)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.3.tar.gz(1.96 MB)
    roundcube-framework-1.4.3.tar.gz.asc(862 bytes)
    roundcubemail-1.4.3-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.3-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.3.tar.gz(4.15 MB)
    roundcubemail-1.4.3.tar.gz.asc(862 bytes)
  • 1.4.2(Jan 1, 2020)

    This is the second service release to update the stable version 1.4 of Roundcube Webmail. It contains fixes and improvements reported since the release of version 1.4.0. See the full changelog below.

    This version considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Plugin API: Make actionbefore, before, actionafter and after events working with plugin actions (#7106)
    • Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
    • Managesieve: Fix so modifier type select wasn't hidden after hiding modifier select on header change
    • Managesieve: Fix filter selection after removing a first filter (#7079)
    • Markasjunk: Fix marking more than one message as spam/ham with email_learn driver (#7121)
    • Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
    • Enigma: Add script to import keys from filesystem to the db storage (for multihost)
    • Installer: Fix DB Write test on SQLite database ("database is locked" error) (#7064)
    • Installer: Fix so SQLite DSN with a relative path to the database file works in Installer
    • Elastic: Fix contrast of warning toasts (#7058)
    • Elastic: Simple search in pretty selects (#7072)
    • Elastic: Fix hidden list widget on mobile/tablet when selecting folder while search menu is open (#7120)
    • Fix so type attribute on script tags is not used on HTML5 pages (#6975)
    • Fix unread count after purge on a folder that is not currently selected (#7051)
    • Fix bug where Enter key didn't work on messages list in "List" layout (#7052)
    • Fix bug where deleting a saved search in addressbook caused display issue on sources/groups list (#7061)
    • Fix bug where a new saved search added after removing all searches wasn't added to the list (#7061)
    • Fix bug where a new contact group added after removing all groups from addressbook wasn't added to the list
    • Fix bug where Ctype extension wasn't required in Installer and INSTALL file (#7049)
    • Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035)
    • Fix so use of Ctrl+A does not scroll the list (#7020)
    • Fix/remove useless keyup event handler on username input in logon form (#6970)
    • Fix bug where cancelling switching from HTML to plain text didn't set the flag properly (#7077)
    • Fix bug where HTML reply could add an empty line with extra indentation above the original message (#7088)
    • Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107)
    • Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105)
    • Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080)
    • Fix so contact's organization field accepts up to 128 characters (it was 50)
    • Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093)
    • Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109)
    • Fix bug where next message wasn't displayed after delete in List mode (#7096)
    • Fix so number of contacts in a group is not limited to 200 when redirecting to mail composer from Contacts (#6972)
    • Fix malformed characters in HTML message with charset meta tag not in head (#7116)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.2.tar.gz(1.98 MB)
    roundcube-framework-1.4.2.tar.gz.asc(862 bytes)
    roundcubemail-1.4.2-complete.tar.gz(6.68 MB)
    roundcubemail-1.4.2-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.2.tar.gz(4.13 MB)
    roundcubemail-1.4.2.tar.gz.asc(862 bytes)
  • 1.4.1(Nov 22, 2019)

    This is the first service release to update the new stable version 1.4.

    With the recent release of Roundcube Webmail 1.4.0 we missed to mention a few breaking changes since the last stable version 1.3. We apologize for this and are now clarifying and correcting these:

    Breaking changes

    (since 1.3.x)

    • new defaults for smtp_* config options:

      Upon many requests and in order to get closer to the default setup of most SMTP servers, we changed the defaults as follows:

      // SMTP port (default is 587)
      $config['smtp_port'] = 587;
      
      // SMTP username (if required). %u will use the current username for login
      $config['smtp_user'] = '%u';
      
      // SMTP password (if required). %p will use the current user's password for login
      $config['smtp_pass'] = '%p';
      
    • changed default password_charset to UTF-8:

      Because of many complaints, we decided to choose a more sane default that covers most setups and configurations.

    • login page returning 401 Unauthorized status:

      The new behavior that Roundcube 1.4 returns a 401 status code if the client is not authenticated apparently was very unexpected and lead to monitoring problems. Despite not having mentioned that change in the release notes, we now partly reverted it so that 401 is only returned on login failures but not on the first request to Roundcube which by definition is unauthorized.

    Besides these three major concerns we heard from your much appreciated feedback, we fixed a number of nasty bugs that sneaked into the 1.4.0 release. See the complete changelog below.

    Changelog

    • Elastic: Change HTML editor widget to improve form flow (#6992)
    • Elastic: Fix position of mobile floating action button (#7038)
    • Managesieve: Fix locked UI after opening filter frame (#7007)
    • Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
    • Fix bug where cache keys could exceed length limit specified in db schema (#7004)
    • Fix invalid Signature button state after escaping Mailvelope mode (#7015)
    • Fix so 401 error is returned only on failed logon requests (#7010)
    • Fix db_prefix handling in queries with TRUNCATE TABLE <name> and UNIQUE <name> (#7013)
    • Fix so update.sh script warns about changed defaults (#7011)
    • Fix tables listing routine when DSN contained a database with unsupported suffix (#7034)
    • Fix so Elastic is also a default in jqueryui plugin (#7039)
    • Fix bug where the Installer would not warn about required schema upgrade (#7042)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.1.tar.gz(1.97 MB)
    roundcube-framework-1.4.1.tar.gz.asc(862 bytes)
    roundcubemail-1.4.1-complete.tar.gz(6.67 MB)
    roundcubemail-1.4.1-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.1.tar.gz(4.12 MB)
    roundcubemail-1.4.1.tar.gz.asc(862 bytes)
  • 1.4.0(Nov 9, 2019)

    This is the long awaited stable release 1.4 of Roundcube webmail.

    After more than two years of hard work by Alec and other volunteer contributors, Roundcube finally gets the responsive skin with full mobile device support - the Elastic.

    In addition to the new UI we introduce these new features:

    • Email Resent (Bounce) feature
    • Improved Mailvelope integration
    • Support for Redis and Memcached cache
    • Support for SMTPUTF8 and GSSAPI

    Plus numerous improvements and bug fixes collected from your precious feedback as well as updates to recent versions of 3rd party libraries like jQuery and TinyMCE. See the full changelog below.

    The new Elastic theme, which is the new default skin, is built with LESS and of course the sources are included. They allow a certain degree of customization by adjusting some colors and variables using the _styles.less and _variables.less files. Please consider customizing your Roundcube installation in order to make phishing harder. You'll find guidance in the README.md file inside the skin folder.

    This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario and preparing your users to the significant changes in their webmail UI. Download it from roundcube.net.

    With the release of Roundcube 1.4.0, the previous stable release branches 1.3.x and 1.2.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.1.x series is no longer supported and maintained.

    CHANGELOG (since 1.4-rc2)

    • Elastic: Resizeable columns (#6929)
    • Elastic: Fix position and style of auto-complete dropdown on small screens (#6951)
    • Elastic: Fix initial focus on recipients input in mail compose screen
    • Elastic: Fix inserting responses at cursor position (#6971)
    • Elastic: Fix unread filter icon and search state on folder change (#6978)
    • Elastic: Fix regression where Encrypt button wasn't displayed in mail compose toolbar (#6982)
    • Elastic: Fix regression where recipient input didn't update internal input state (#6988)
    • Enigma: Fix bug where signing option was set to disabled after saving a draft in Elastic skin (#6515)
    • Redis: Improve error handling and phpredis 5.X support (#6888)
    • Archive: Fix bug where next email was not displayed after Archive button use (#6965)
    • Archive: Fix missing Archive icon in folder selector popup in Elastic
    • Fix bug where cache keys were not case-sensitive on MySQL/MSSQL (#6942)
    • Fix so an error is logged when encryption fails (#6948)
    • Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
    • Fix and document skin_logo setup (#6981)

    FULL CHANGELOG (since 1.3.x)

    • Update to jQuery 3.4.1
    • Update to TinyMCE 4.8.2
    • Update to jQuery-MiniColors 2.3.4
    • Clarified 'address_book_type' option behavior (#6680)
    • Added cookie mismatch detection, display an error message informing the user to clear cookies
    • Renamed 'log_session' option to 'session_debug'
    • Removed 'delete_always' option (#6782)
    • Don't log full session identifiers in userlogins log (#6625)
    • Support $HasAttachment/$HasNoAttachment keywords (#6201)
    • Support PECL memcached extension as a session and cache storage driver (experimental)
    • Switch to IDNA2008 variant (#6806)
    • installto.sh: Add possibility to run the update even on the up-to-date installation (#6533)
    • Plugin API: Add 'render_folder_selector' hook
    • Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326)
    • Added flag to disable server certificate validation via Mysql DSN argument (#6848)
    • Select all records on the current list page with CTRL + A (#6813)
    • Use Left/Right Arrow keys to faster move over threaded messages list (#6399)
    • Changes in display_next setting (#6795):
      • Move it to Preferences > User Interface > Main Options
      • Make it apply to Contacts interface too
      • Make it apply only if deleting/moving a previewed message/contact
    • Redis: Support connection to unix socket
    • Put charset meta specification before a title tag, add page title automatically (#6811)
    • Elastic: Various internal refactorings
    • Elastic: Add Prev/Next buttons on message page toolbar (#6648)
    • Elastic: Close search options on Enter key press in quick-search input (#6660)
    • Elastic: Changed some icons (#6852)
    • Elastic: Changed read/unread icons (#6636)
    • Elastic: Changed "Move to..." icon (#6637)
    • Elastic: Add hide/show for advanced preferences (#6632)
    • Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814)
    • Elastic: Add indicator for popover menu items that open a submenu (#6868)
    • Elastic: Move compose attachments/options to the right side (#6839)
    • Elastic: Add border/background to attachments list widget (#6842)
    • Elastic: Add "Show unread messages" button to the search bar (#6587)
    • Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677)
    • Elastic: Fix folders list scrolling on touch devices (#6706)
    • Elastic: Fix non-working pretty selects in Chrome browser (#6705)
    • Elastic: Fix issue with absolute positioned mail content (#6739)
    • Elastic: Fix bug where some menu actions could cause a browser popup warning
    • Elastic: Fix handling mailto: URL parameters in contact menu (#6751)
    • Elastic: Fix keyboard navigation in some menus, e.g. the contact menu
    • Elastic: Fix visual issue with long buttons in .boxwarning (#6797)
    • Elastic: Fix handling new-line in text pasted to a recipient input
    • Elastic: Fix so search is not reset when returning from the message preview page (#6847)
    • Larry: Fix regression where menu actions didn't work with keyboard (#6740)
    • ACL: Display user/group names (from ldap) instead of acl identifier
    • Password: Added ldap_exop driver (#4992)
    • Password: Added support for SSHA512 password algorithm (#6805)
    • Managesieve: Fix bug where global includes were requested for vacation (#6716)
    • Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686)
    • Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
    • Enigma: For verified signatures, display the user id associated with the sender address (#5958)
    • Enigma: Fix bug where revoked users/keys were not greyed out in key info
    • Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
    • Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
    • Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838)
    • Fix language selection for spellchecker in html mode (#6915)
    • Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831)
    • Fix invalid path to "add contact" icon when using assets_path setting
    • Fix invalid path to blocked.gif when using assets_path setting (#6752)
    • Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679)
    • Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735)
    • Fix bug where flag change could have been passed to a preview frame when not expected
    • Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713)
    • Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697)
    • Fix TinyMCE download location (#6694)
    • Fix so "Open in new window" consistently displays "external window" interface (#6659)
    • Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
    • Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640)
    • Fix bug where attachment preview didn't work with x_frame_options=deny (#6688)
    • Fix so bin/install-jsdeps.sh returns error code on error (#6704)
    • Fix bug where bmp images couldn't be displayed on some systems (#6728)
    • Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
    • Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
    • Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
    • Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
    • Fix bug where selection of columns on messages list wasn't working
    • Fix bug in converting multi-page Tiff images to Jpeg (#6824)
    • Fix bug where handling multiple messages from multi-folder search result could not work (#6845)
    • Fix bug where unread count wasn't updated after moving multi-folder result (#6846)
    • Fix wrong messages order after returning to a multi-folder search result (#6836)
    • Fix some PHP 7.4 compat. issues (#6884, #6866)
    • Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
    • Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
    • Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
    • Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
    • Changed 'password_charset' default to 'UTF-8' (#6522)
    • Add skins_allowed option (#6483)
    • SMTP GSSAPI support via krb_authentication plugin (#6417)
    • Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
    • Removed 'referer_check' option (#6440)
    • Use constant prefix for temp file names, don't remove temp files from other apps (#6511)
    • Ignore 'Sender' header on Reply-All action (#6506)
    • deluser.sh: Add option to delete users who have not logged in for more than X days (#6340)
    • HTML5 Upload Progress - as a replacement for the old server-side solution (#6177)
    • Prevent from using deprecated timezone names from jsTimezoneDetect
    • Force session.gc_probability=1 when using custom session handlers (#6560)
    • Support simple field labels (e.g. LetterHub examples) in csv imports (#6541)
    • Add cache busters also to images used by templates (#6610)
    • Plugin API: Added 'raise_error' hook (#6199)
    • Plugin API: Added 'common_headers' hook (#6385)
    • Plugin API: Added 'ldap_connected' hook
    • Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524)
    • Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file
    • Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
    • Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594)
    • Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504)
    • Password: Added 'modoboa' driver (#6361)
    • Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
    • Password: Fix bug where new users could skip forced password change (#6434)
    • Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473)
    • Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246)
    • Passowrd: Allow drivers to define password strength rules displayed to the user
    • Password: Allow separate password saving and strength drivers for use of strength checking services (#5040)
    • Password: Add zxcvbn driver for checking password strength (#6479)
    • Password: Disallow control characters in passwords
    • Password: Add support for Plesk >= 17.8 (#6526)
    • Elastic: Improved datepicker displayed always in parent window
    • Elastic: On touch devices display attachment icons on messages list (#6296)
    • Elastic: Make menu button inactive if all subactions are inactive (#6444)
    • Elastic: On mobile/tablet jump to the list on folder selection (#6415)
    • Elastic: Various improvements on mail compose screen (#6413)
    • Elastic: Support new-line char as a separator for pasted recipients (#6460)
    • Elastic: Improved UX of search dialogs (#6416)
    • Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
    • Elastic: Fix too small height of mailvelope mail preview frame (#6600)
    • Elastic: Add "status bar" for mobile in mail composer
    • Elastic: Add selection options on contacts list (#6595)
    • Elastic: Fix unintentional layout preference overwrite (#6613)
    • Elastic: Fix bug where Enigma options in mail compose could sometimes be ignored (#6515)
    • Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
    • Fix regression where drafts were not deleted after sending the message (#6756)
    • Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580)
    • Fix so performance stats are logged to the main console log also when per_user_logging=true
    • Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498)
    • Fix incorrect IMAP SASL GSSAPI negotiation (#6308)
    • Fix so unicode in local part of the email address is also supported in recipient inputs (#6490)
    • Fix bug where autocomplete list could be displayed out of screen (#6469)
    • Fix style/navigation on error page depending on authentication state (#6362)
    • Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408)
    • Fix custom logo size in Elastic (#6424)
    • Fix listing the same attachment multiple times on forwarded messages
    • Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
    • Fix inconsistent offset for various time zones - always display Standard Time offset (#6531)
    • Fix dummy Message-Id when resuming a draft without Message-Id header (#6548)
    • Fix handling of empty entries in vCard import (#6564)
    • Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
    • Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
    • Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
    • Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
    • Fix missing CSRF token on a link to download too-big message part (#6621)
    • Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
    • Improved Mailvelope integration
      • Added private key listing and generating to identity settings
      • Enable encrypt & sign option if Mailvelope supports it
    • Allow contacts without an email address (#5079)
    • Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
    • Support for IMAP folders that cannot contain both folders and messages (#5057)
    • Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
    • Extend skin_logo setting to allow per skin logos (#6272)
    • Use Masterminds/HTML5 parser for better HTML5 support (#5761)
    • Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
    • Display an error when clicking disabled link to register protocol handler (#6079)
    • Add option trusted_host_patterns (#6009, #5752)
    • Support additional connect parameters in PostgreSQL database wrapper
    • Use UI dialogs instead of confirm() and alert() where possible
    • Display value of the SMTP message size limit in the error message (#6032)
    • Show message flagged status in message view (#5080)
    • Skip redundant INSERT query on successful logon when using PHP7
    • Replace display_version with display_product_version (#5904)
    • Extend disabled_actions config so it accepts also button names (#5903)
    • Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
    • Add Message-ID to the sendmail log (#5871)
    • Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073)
    • Archive: Fix archiving by sender address on cyrus-imap
    • Archive: Style Archive folder also on folder selector and folder manager lists
    • Archive: Add Thunderbird compatible Month option (#5623)
    • Archive: Create archive folder automatically if it's configured, but does not exist (#6076)
    • Enigma: Add button to send mail unencrypted if no key was found (#5913)
    • Enigma: Add options to set PGP cipher/digest algorithms (#5645)
    • Enigma: Multi-host support
    • Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
    • Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
    • Managesieve: Support filter action with custom IMAP flags (#6011)
    • Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
    • Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
    • Managesieve: Support enabling the plugin for specified hosts only (#6292)
    • Password: Support host variables in password_db_dsn option (#5955)
    • Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
    • Password: Added password_username_format option (#5766)
    • subscriptions_option: show \Noselect folders greyed out (#5621)
    • zipdownload: Added option to define size limit for multiple messages download (#5696)
    • vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
    • Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
    • Composer: Fix certificate validation errors by using packagist only (#5148)
    • Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
    • Support _filter and _scope as GET arguments for opening mail UI (#5825)
    • Various improvements for templating engine and skin behaviours
      • Support conditional include
      • Support for 'link' objects
      • Support including files with path relative to templates directory
      • Use
    • Support skin localization (#5853)
    • Reset onerror on images if placeholder does not exist to prevent from requests storm
    • Unified and simplified code for loading content frame for responses and identities
    • Display contact import and advanced search in popup dialogs
    • Display a dialog for mail import with supported format description and upload size hint
    • Make possible to set (some) config options from a skin
    • Added optional checkbox selection for the list widget
    • Make 'compose' command always enabled
    • Add .log suffix to all log file names, add option log_file_ext to control this (#313)
    • Return "401 Unauthorized" status when login fails (#5663)
    • Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
    • Plugin API: Added 'show_bytes' hook (#5001)
    • Add option to not indent quoted text on top-posting reply (#5105)
    • Removed global $CONFIG variable
    • Removed debug_level setting
    • Support AUTHENTICATE LOGIN for IMAP connections (#5563)
    • Support LDAP GSSAPI authentication (#5703)
    • Localized timezone selector (#4983)
    • Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
    • Handle inline images also inside multipart/mixed messages (#5905)
    • Allow style tags in HTML editor on composed/reply messages (#5751)
    • Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248)
    • Show confirm dialog when moving folders using drag and drop (#6119)
    • Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)
    • Fix skin extending for assets (#5115)
    • Fix handling of forwarded messages inside of a TNEF message (#5632)
    • Fix bug where attachment size wasn't visible when the filename was too long (#6033)
    • Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
    • Fix css conflicts in user interface and e-mail content (#5891)
    • Fix duplicated signature when using Back button in Chrome (#5809)
    • Fix touch event issue on messages list in IE/Edge (#5781)
    • Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
    • Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.0.tar.gz(1.96 MB)
    roundcube-framework-1.4.0.tar.gz.asc(862 bytes)
    roundcubemail-1.4.0-complete.tar.gz(6.67 MB)
    roundcubemail-1.4.0-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.0.tar.gz(4.11 MB)
    roundcubemail-1.4.0.tar.gz.asc(862 bytes)
  • 1.4-rc2(Sep 16, 2019)

    This is the long awaited second release candidate for the next major version 1.4 of Roundcube webmail. Many fixes, improvements and final touches have gone into this since the first release candidate was published.

    We strongly encourage everybody to customize the Elastic skin using the _styles.less and _variables.less files to blend into your corporate design. You'll find guidance for customization in the README.md file inside the skin folder.

    Rolling out a new and significantly different user interface should be carefully planned and we recommend to prepare your users for the change. Therefore the Elastic theme is not set to be the default theme. Adjust your config in order to enable it by default or let your users switch themselves in the user settings.

    Please note that the Classic skin will no longer be maintained and completely removed in future releases. Within the 1.4 release series, the Classic skin remains part of the package but it will not receive new features that were added to the Larry or Elastic themes.

    This is still a preview release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Update to jQuery 3.4.1
    • Clarified 'address_book_type' option behavior (#6680)
    • Added cookie mismatch detection, display an error message informing the user to clear cookies
    • Renamed 'log_session' option to 'session_debug'
    • Removed 'delete_always' option (#6782)
    • Don't log full session identifiers in userlogins log (#6625)
    • Support $HasAttachment/$HasNoAttachment keywords (#6201)
    • Support PECL memcached extension as a session and cache storage driver (experimental)
    • Switch to IDNA2008 variant (#6806)
    • installto.sh: Add possibility to run the update even on the up-to-date installation (#6533)
    • Plugin API: Add 'render_folder_selector' hook
    • Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326)
    • Added flag to disable server certificate validation via Mysql DSN argument (#6848)
    • Select all records on the current list page with CTRL + A (#6813)
    • Use Left/Right Arrow keys to faster move over threaded messages list (#6399)
    • Changes in display_next setting (#6795):
      • Move it to Preferences > User Interface > Main Options
      • Make it apply to Contacts interface too
      • Make it apply only if deleting/moving a previewed message/contact
    • Redis: Support connection to unix socket
    • Put charset meta specification before a title tag, add page title automatically (#6811)
    • Elastic: Various internal refactorings
    • Elastic: Add Prev/Next buttons on message page toolbar (#6648)
    • Elastic: Close search options on Enter key press in quick-search input (#6660)
    • Elastic: Changed some icons (#6852)
    • Elastic: Changed read/unread icons (#6636)
    • Elastic: Changed "Move to..." icon (#6637)
    • Elastic: Add hide/show for advanced preferences (#6632)
    • Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814)
    • Elastic: Add indicator for popover menu items that open a submenu (#6868)
    • Elastic: Move compose attachments/options to the right side (#6839)
    • Elastic: Add border/background to attachments list widget (#6842)
    • Elastic: Add "Show unread messages" button to the search bar (#6587)
    • Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677)
    • Elastic: Fix folders list scrolling on touch devices (#6706)
    • Elastic: Fix non-working pretty selects in Chrome browser (#6705)
    • Elastic: Fix issue with absolute positioned mail content (#6739)
    • Elastic: Fix bug where some menu actions could cause a browser popup warning
    • Elastic: Fix handling mailto: URL parameters in contact menu (#6751)
    • Elastic: Fix keyboard navigation in some menus, e.g. the contact menu
    • Elastic: Fix visual issue with long buttons in .boxwarning (#6797)
    • Elastic: Fix handling new-line in text pasted to a recipient input
    • Elastic: Fix so search is not reset when returning from the message preview page (#6847)
    • Larry: Fix regression where menu actions didn't work with keyboard (#6740)
    • ACL: Display user/group names (from ldap) instead of acl identifier
    • Password: Added ldap_exop driver (#4992)
    • Password: Added support for SSHA512 password algorithm (#6805)
    • Managesieve: Fix bug where global includes were requested for vacation (#6716)
    • Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686)
    • Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
    • Enigma: For verified signatures, display the user id associated with the sender address (#5958)
    • Enigma: Fix bug where revoked users/keys were not greyed out in key info
    • Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
    • Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
    • Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838)
    • Fix language selection for spellchecker in html mode (#6915)
    • Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831)
    • Fix invalid path to "add contact" icon when using assets_path setting
    • Fix invalid path to blocked.gif when using assets_path setting (#6752)
    • Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679)
    • Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735)
    • Fix bug where flag change could have been passed to a preview frame when not expected
    • Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713)
    • Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697)
    • Fix TinyMCE download location (#6694)
    • Fix so "Open in new window" consistently displays "external window" interface (#6659)
    • Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
    • Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640)
    • Fix bug where attachment preview didn't work with x_frame_options=deny (#6688)
    • Fix so bin/install-jsdeps.sh returns error code on error (#6704)
    • Fix bug where bmp images couldn't be displayed on some systems (#6728)
    • Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
    • Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
    • Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
    • Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
    • Fix bug where selection of columns on messages list wasn't working
    • Fix bug in converting multi-page Tiff images to Jpeg (#6824)
    • Fix bug where handling multiple messages from multi-folder search result could not work (#6845)
    • Fix bug where unread count wasn't updated after moving multi-folder result (#6846)
    • Fix wrong messages order after returning to a multi-folder search result (#6836)
    • Fix some PHP 7.4 compat. issues (#6884, #6866)
    • Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
    • Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
    • Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
    • Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4-rc2.tar.gz(1.96 MB)
    roundcube-framework-1.4-rc2.tar.gz.asc(862 bytes)
    roundcubemail-1.4-rc2-complete.tar.gz(6.66 MB)
    roundcubemail-1.4-rc2-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4-rc2.tar.gz(4.11 MB)
    roundcubemail-1.4-rc2.tar.gz.asc(862 bytes)
  • 1.3.10(Aug 28, 2019)

    This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including minor security fixes around CSS and HTML cleanup. See the complete changelog below.

    This version in considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
    • Enigma: Fix bug where revoked users/keys were not greyed out in key info
    • Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
    • Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
    • Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
    • Fix bug where bmp images couldn't be displayed on some systems (#6728)
    • Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
    • Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
    • Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
    • Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
    • Fix bug where selection of columns on messages list wasn't working
    • Fix bug in converting multi-page Tiff images to Jpeg (#6824)
    • Fix wrong messages order after returning to a multi-folder search result (#6836)
    • Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
    • Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
    • Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
    • Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
    • Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.10.tar.gz(1.20 MB)
    roundcube-framework-1.3.10.tar.gz.asc(862 bytes)
    roundcubemail-1.3.10-complete.tar.gz(5.24 MB)
    roundcubemail-1.3.10-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.10.tar.gz(3.08 MB)
    roundcubemail-1.3.10.tar.gz.asc(862 bytes)
  • 1.3.9(Mar 31, 2019)

    This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch. See the complete changelog below.

    This version in considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix TinyMCE download location(s) (#6694)
    • Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
    • Fix handling of empty entries in vCard import (#6564)
    • Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
    • Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
    • Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
    • Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
    • Fix missing CSRF token on a link to download too-big message part (#6621)
    • Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
    • Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.9.tar.gz(1.19 MB)
    roundcube-framework-1.3.9.tar.gz.asc(833 bytes)
    roundcubemail-1.3.9-complete.tar.gz(5.26 MB)
    roundcubemail-1.3.9-complete.tar.gz.asc(833 bytes)
    roundcubemail-1.3.9.tar.gz(3.08 MB)
    roundcubemail-1.3.9.tar.gz.asc(833 bytes)
  • 1.4-rc1(Feb 28, 2019)

    This is a first release candidate for the next major version 1.4 of Roundcube webmail which has now been in development for quite a while. Although the new responsive Elastic skin is now functional and feature complete, it still lacks the final brush-up to make it shine. We have now finally found a volunteer to work on this and once completed, a second release candidate will follow.

    For now you’re all invited to give the new 1.4 version another test run. Besides the responsive theme it comes with lots of new features and improvements since the beta release. Check the Changelog below for a complete list of changes.

    Please also try customizing the Elastic skin using the _styles.less and _variables.less files and let us know what’s missing. You'll find guidance in the README.md file inside the skin folder.

    Because we don’t yet consider the Elastic theme fully complete, it’s not set to be the default theme. Adjust your config in order to enable it with

    $config['skin'] = 'elastic';
    

    This is a beta release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Changed 'password_charset' default to 'UTF-8' (#6522)
    • Add skins_allowed option (#6483)
    • SMTP GSSAPI support via krb_authentication plugin (#6417)
    • Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
    • Removed 'referer_check' option (#6440)
    • Use constant prefix for temp file names, don't remove temp files from other apps (#6511)
    • Ignore 'Sender' header on Reply-All action (#6506)
    • deluser.sh: Add option to delete users who have not logged in for more than X days (#6340)
    • HTML5 Upload Progress - as a replacement for the old server-side solution (#6177)
    • Update to TinyMCE 4.8.2
    • Update to jQuery-MiniColors 2.3.4
    • Prevent from using deprecated timezone names from jsTimezoneDetect
    • Force session.gc_probability=1 when using custom session handlers (#6560)
    • Support simple field labels (e.g. LetterHub examples) in csv imports (#6541)
    • Add cache busters also to images used by templates (#6610)
    • Plugin API: Added 'raise_error' hook (#6199)
    • Plugin API: Added 'common_headers' hook (#6385)
    • Plugin API: Added 'ldap_connected' hook
    • Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524)
    • Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file
    • Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
    • Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594)
    • Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504)
    • Password: Added 'modoboa' driver (#6361)
    • Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
    • Password: Fix bug where new users could skip forced password change (#6434)
    • Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473)
    • Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246)
    • Passowrd: Allow drivers to define password strength rules displayed to the user
    • Password: Allow separate password saving and strength drivers for use of strength checking services (#5040)
    • Password: Add zxcvbn driver for checking password strength (#6479)
    • Password: Disallow control characters in passwords
    • Password: Add support for Plesk >= 17.8 (#6526)
    • Elastic: Improved datepicker displayed always in parent window
    • Elastic: On touch devices display attachment icons on messages list (#6296)
    • Elastic: Make menu button inactive if all subactions are inactive (#6444)
    • Elastic: On mobile/tablet jump to the list on folder selection (#6415)
    • Elastic: Various improvements on mail compose screen (#6413)
    • Elastic: Support new-line char as a separator for pasted recipients (#6460)
    • Elastic: Improved UX of search dialogs (#6416)
    • Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
    • Elastic: Fix too small height of mailvelope mail preview frame (#6600)
    • Elastic: Add "status bar" for mobile in mail composer
    • Elastic: Add selection options on contacts list (#6595)
    • Elastic: Fix unintentional layout preference overwrite (#6613)
    • Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
    • Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580)
    • Fix so performance stats are logged to the main console log also when per_user_logging=true
    • Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498)
    • Fix incorrect IMAP SASL GSSAPI negotiation (#6308)
    • Fix so unicode in local part of the email address is also supported in recipient inputs (#6490)
    • Fix bug where autocomplete list could be displayed out of screen (#6469)
    • Fix style/navigation on error page depending on authentication state (#6362)
    • Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408)
    • Fix custom logo size in Elastic (#6424)
    • Fix listing the same attachment multiple times on forwarded messages
    • Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
    • Fix inconsistent offset for various time zones - always display Standard Time offset (#6531)
    • Fix dummy Message-Id when resuming a draft without Message-Id header (#6548)
    • Fix handling of empty entries in vCard import (#6564)
    • Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
    • Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
    • Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
    • Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
    • Fix missing CSRF token on a link to download too-big message part (#6621)
    • Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4-rc1.tar.gz(1.23 MB)
    roundcube-framework-1.4-rc1.tar.gz.asc(862 bytes)
    roundcubemail-1.4-rc1-complete.tar.gz(6.82 MB)
    roundcubemail-1.4-rc1-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4-rc1.tar.gz(4.22 MB)
    roundcubemail-1.4-rc1.tar.gz.asc(862 bytes)
  • 1.3.8(Oct 26, 2018)

    This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. See the complete changelog below.

    CHANGELOG

    • Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
    • Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
    • Enigma: Fix deleting keys with authentication subkeys (#6381)
    • Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
    • Fix so Classic skin splitter does not escape out of window (#6397)
    • Fix XSS issue in handling invalid style tag content (#6410)
    • Fix compatibility with MySQL 8 - error on 'system' table use
    • Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
    • New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
    • Fix support for "allow-from " in x_frame_options config option (#6449)
    • Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
    • Fix multiple VCard field search (#6466)
    • Fix session issue on long running requests (#6470)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.8.tar.gz(1.20 MB)
    roundcube-framework-1.3.8.tar.gz.asc(862 bytes)
    roundcubemail-1.3.8-complete.tar.gz(5.27 MB)
    roundcubemail-1.3.8-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.8.tar.gz(3.08 MB)
    roundcubemail-1.3.8.tar.gz.asc(862 bytes)
  • 1.4-beta(Aug 25, 2018)

    This is a beta release of the next major version 1.4 of Roundcube webmail. With this milestone we introduce some new features:

    • New responsive skin with mobile support
    • Email Resent (Bounce) feature
    • Improved Mailvelope integration
    • Support for Redis cache
    • Support for SMTPUTF8

    Because the new responsive skin is not yet fully completed, it's not enabled by default. In order to make it the default for your users, change your config.inc.php accordingly:

    $config['skin'] = 'elastic';
    

    Although it still needs some polishing, the new skin solves the urgent need to enable access to Roundcube for mobile devices. The plugin elastic4mobile makes it the default for mobile devices while keeping the configured default for desktop browsers.

    The Elastic skin is built with LESS and of course the sources are included. They allow a certain degree of customization by adjusting some color variables. All you need is to compile your very own customized skin with lessc.

    In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules by executing the following install script:

    $ bin/install-jsdeps.sh
    

    This is a beta release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Added new skin with mobile support - the Elastic
    • Support Redis cache
    • Email Resent (Bounce) feature (#4985)
    • Improved Mailvelope integration
      • Added private key listing and generating to identity settings
      • Enable encrypt & sign option if Mailvelope supports it
    • Allow contacts without an email address (#5079)
    • Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
    • Support for IMAP folders that cannot contain both folders and messages (#5057)
    • Update to jQuery-3.3.1
    • Update to jQuery-minicolors 2.2.6
    • Update to TinyMCE 4.7.13
    • Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
    • Extend skin_logo setting to allow per skin logos (#6272)
    • Use Masterminds/HTML5 parser for better HTML5 support (#5761)
    • Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
    • Display an error when clicking disabled link to register protocol handler (#6079)
    • Add option trusted_host_patterns (#6009, #5752)
    • Support additional connect parameters in PostgreSQL database wrapper
    • Use UI dialogs instead of confirm() and alert() where possible
    • Display value of the SMTP message size limit in the error message (#6032)
    • Show message flagged status in message view (#5080)
    • Skip redundant INSERT query on successful logon when using PHP7
    • Replace display_version with display_product_version (#5904)
    • Extend disabled_actions config so it accepts also button names (#5903)
    • Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
    • Add Message-ID to the sendmail log (#5871)
    • Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073)
    • Archive: Fix archiving by sender address on cyrus-imap
    • Archive: Style Archive folder also on folder selector and folder manager lists
    • Archive: Add Thunderbird compatible Month option (#5623)
    • Archive: Create archive folder automatically if it's configured, but does not exist (#6076)
    • Enigma: Add button to send mail unencrypted if no key was found (#5913)
    • Enigma: Add options to set PGP cipher/digest algorithms (#5645)
    • Enigma: Multi-host support
    • Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
    • Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
    • Managesieve: Support filter action with custom IMAP flags (#6011)
    • Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
    • Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
    • Managesieve: Support enabling the plugin for specified hosts only (#6292)
    • Password: Support host variables in password_db_dsn option (#5955)
    • Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
    • Password: Added password_username_format option (#5766)
    • subscriptions_option: show \Noselect folders greyed out (#5621)
    • zipdownload: Added option to define size limit for multiple messages download (#5696)
    • vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
    • Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
    • Composer: Fix certificate validation errors by using packagist only (#5148)
    • Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
    • Support _filter and _scope as GET arguments for opening mail UI (#5825)
    • Various improvements for templating engine and skin behaviours
      • Support conditional include
      • Support for 'link' objects
      • Support including files with path relative to templates directory
      • Use
    • Support skin localization (#5853)
    • Reset onerror on images if placeholder does not exist to prevent from requests storm
    • Unified and simplified code for loading content frame for responses and identities
    • Display contact import and advanced search in popup dialogs
    • Display a dialog for mail import with supported format description and upload size hint
    • Make possible to set (some) config options from a skin
    • Added optional checkbox selection for the list widget
    • Make 'compose' command always enabled
    • Add .log suffix to all log file names, add option log_file_ext to control this (#313)
    • Return "401 Unauthorized" status when login fails (#5663)
    • Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
    • Plugin API: Added 'show_bytes' hook (#5001)
    • Add option to not indent quoted text on top-posting reply (#5105)
    • Removed global $CONFIG variable
    • Removed debug_level setting
    • Support AUTHENTICATE LOGIN for IMAP connections (#5563)
    • Support LDAP GSSAPI authentication (#5703)
    • Localized timezone selector (#4983)
    • Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
    • Handle inline images also inside multipart/mixed messages (#5905)
    • Allow style tags in HTML editor on composed/reply messages (#5751)
    • Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248)
    • Show confirm dialog when moving folders using drag and drop (#6119)
    • Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)
    • Fix skin extending for assets (#5115)
    • Fix handling of forwarded messages inside of a TNEF message (#5632)
    • Fix bug where attachment size wasn't visible when the filename was too long (#6033)
    • Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
    • Fix css conflicts in user interface and e-mail content (#5891)
    • Fix duplicated signature when using Back button in Chrome (#5809)
    • Fix touch event issue on messages list in IE/Edge (#5781)
    • Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
    • Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
    • Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
    • Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
    • Enigma: Fix deleting keys with authentication subkeys (#6381)
    • Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
    • Fix so Classic skin splitter does not escape out of window (#6397)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4-beta.tar.gz(1.22 MB)
    roundcube-framework-1.4-beta.tar.gz.asc(862 bytes)
    roundcubemail-1.4-beta-complete.tar.gz(6.63 MB)
    roundcubemail-1.4-beta-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4-beta.tar.gz(4.12 MB)
    roundcubemail-1.4-beta.tar.gz.asc(862 bytes)
Owner
Roundcube Webmail Project
Roundcube Webmail Project
Cypht: Lightweight Open Source webmail written in PHP and JavaScript

Cypht https://cypht.org All your E-mail, from all your accounts, in one place. Cypht is not your father's webmail. Unless you are one of my daughters,

Jason Munro 670 Sep 18, 2021
A set of ansible scripts to build a personal mail server / private cloud / etc.

Please, note the Stretch version will receive only bug fixes and security updates. all the developments are now focused on the Next version. A set of

Progmatic 277 Sep 16, 2021
Mail hosting made simple

Modoboa Modoboa is a mail hosting and management platform including a modern and simplified Web User Interface. It provides useful components such as

Modoboa 1.9k Sep 18, 2021
Isotope Mail Client

Microservice based webmail client built with ReactJS and Spring. Introduction This webmail client is still in a very early stage, use at your own risk

Marc Nuri 166 Sep 2, 2021
Script that installs/configures a Dovecot, Postfix, Spam Assassin, OpenDKIM Debian web server

Email server setup script I wrote this script during the grueling process of installing and setting up an email server. It perfectly reproduces my suc

Luke Smith 747 Sep 15, 2021
An extensible mail notification daemon

An extensible mail notification daemon Mailnag is a daemon program that checks POP3 and IMAP servers for new mail. On mail arrival it performs various

Patrick Ulbrich 229 Sep 17, 2021
Python libraries to send, receive, and queue email.

API Documentation and Manual About The python-slimta project is a Python library offering the building blocks necessary to create a full-featured MTA.

null 147 Sep 11, 2021