Quote from: alec on March 24, 2026, 02:41:44 AMhttps://github.com/roundcube/roundcubemail/issues/10121

O, many thanks!

This patch actually fixed the problem. I pointed AI to this link; It didn't know the solution until now.

The indication that the problem was in versions 1.6.12 and 1.6.13 is my mistake. The problem only appeared in 1.6.14, as far as I understand.

G'day for all!

After upgrading roundcube to 1.6.12 (1.6.13, 1.6.14, too) we can't do serching in folders in Russian (non ASCII symbols).

QuoteServer error: UID THREAD: Error in IMAP command UID THREAD: Missing LF after literal size (0.001 + 0.000 secs).

Search is only possible in English (ASCII). Where error from?

This is now solved. I was being affected by an already-reported roundcube bug

I fixed as suggested by the bug reporter by setting
mail_attachment_detection_options="" in dovecot.conf

The other largest attack vector I see is social engineering where emails are sent saying there are coming from "Roundcube". A simple and quick fix would be to change the name and logo shown to users so they are less likely to click on links claiming to be from Roundcube.

That fact that you referenced upgrading Ubuntu both breaking the Roundcube and fixing it, are you installing Roundcube from the Ubuntu package? If so I have seen that in the past they change the Roundcube config location so that maybe why you saw it not pickup your SMTP settings and why the skins disappeared if it overwrote them while updating the package.

OK.  I managed to restore the ability to send mail by performing another upgrade of Ubuntu from 20.04 to 22.04 (which moved PHP for 8.1).  So, I can log in, check mail and all those things.

But I can no longer choose to use one of the skins I bought from RoundCube+.  I suspect that I will need to remove what I have and then follow their install instructions again.  Hopefully that will set things straight.  But this is no longer a question for this forum.

Thanks for trying to help (and accusing me of lying about my config -- that's a new one.)

I'm curious where roundcube is getting the host name it is using in the EHLO message.  That domain name only appears in the xskin/config.inc.php file where local assets are use for some skin features.  Why is roundcube not using the smtp_host name from roundcube/config/config.inc.php?  Is there some other place where this type of setting might be stored that I have not found?  If so, there might be other settings overriding that are causing my problems.

I should also mention that roundcube v1.3.x was working just fine (and successfully logging in to send mail) for over SIX YEARS.  However, after updating the system from Ubuntu 18.04 to 20.04, roundcube no longer connects.

One of my users also discovered that his email client was only using TLS 1.0 and we needed to make a configuration change for him so that his mail client would support TLS v1.2, which is now required.  Is there any chance something like that is biting me here?

That's no the problem. AUTH capabilities should get listed after establishing a secure connection, but for some reason Roundcube does not use STARTTLS command. I'm not sure why when smtp_host has tls:// prefix. Lack of php-ssl module? Or you don't tell us truth.

Based on the info in that article I'm not sure why you think 2FA would not help. A properly implemented MFA plugin will increase security but only to Roundcube login, if you use other IMAP clients then those would need their own solutions. For things like brute force login attempts you can also use tools like Fail2Ban.

The article is not about login attack though but instead about a CSS exploit which can then be used to get creds stored in a browser. Using browser creds stores is notoriously unsafe.

The article does not give the CVE id for the specific exploit but the devs do patch security issues when they are discovered (for example the changelog for 1.6.13 mentions "Fix CSS injection vulnerability reported by CERT Polska") and we don't know what version of Roundcube the people who wrote the article were using.

Like any wab app the best you can do is make sure you have it setup properly, the permissions are correct and apply security updates when they come out.