The other largest attack vector I see is social engineering where emails are sent saying there are coming from "Roundcube". A simple and quick fix would be to change the name and logo shown to users so they are less likely to click on links claiming to be from Roundcube.

That fact that you referenced upgrading Ubuntu both breaking the Roundcube and fixing it, are you installing Roundcube from the Ubuntu package? If so I have seen that in the past they change the Roundcube config location so that maybe why you saw it not pickup your SMTP settings and why the skins disappeared if it overwrote them while updating the package.

OK.  I managed to restore the ability to send mail by performing another upgrade of Ubuntu from 20.04 to 22.04 (which moved PHP for 8.1).  So, I can log in, check mail and all those things.

But I can no longer choose to use one of the skins I bought from RoundCube+.  I suspect that I will need to remove what I have and then follow their install instructions again.  Hopefully that will set things straight.  But this is no longer a question for this forum.

Thanks for trying to help (and accusing me of lying about my config -- that's a new one.)

I'm curious where roundcube is getting the host name it is using in the EHLO message.  That domain name only appears in the xskin/config.inc.php file where local assets are use for some skin features.  Why is roundcube not using the smtp_host name from roundcube/config/config.inc.php?  Is there some other place where this type of setting might be stored that I have not found?  If so, there might be other settings overriding that are causing my problems.

I should also mention that roundcube v1.3.x was working just fine (and successfully logging in to send mail) for over SIX YEARS.  However, after updating the system from Ubuntu 18.04 to 20.04, roundcube no longer connects.

One of my users also discovered that his email client was only using TLS 1.0 and we needed to make a configuration change for him so that his mail client would support TLS v1.2, which is now required.  Is there any chance something like that is biting me here?

That's no the problem. AUTH capabilities should get listed after establishing a secure connection, but for some reason Roundcube does not use STARTTLS command. I'm not sure why when smtp_host has tls:// prefix. Lack of php-ssl module? Or you don't tell us truth.

Based on the info in that article I'm not sure why you think 2FA would not help. A properly implemented MFA plugin will increase security but only to Roundcube login, if you use other IMAP clients then those would need their own solutions. For things like brute force login attempts you can also use tools like Fail2Ban.

The article is not about login attack though but instead about a CSS exploit which can then be used to get creds stored in a browser. Using browser creds stores is notoriously unsafe.

The article does not give the CVE id for the specific exploit but the devs do patch security issues when they are discovered (for example the changelog for 1.6.13 mentions "Fix CSS injection vulnerability reported by CERT Polska") and we don't know what version of Roundcube the people who wrote the article were using.

Like any wab app the best you can do is make sure you have it setup properly, the permissions are correct and apply security updates when they come out.

As your SMTP server does not support authentication you should set the SMTP auth config vars to empty strings in your Roundcube config.
$config['smtp_user'] = '';
$config['smtp_pass'] = '';


If you only want to adjust the CSS then you can do that by creating _styles.less and _variables.less files and recompiling the CSS. These 2 files will survive any updates. see the Elastic readme for more info.

If you want to modify any of the template files or make bigger changes than adjusting the CSS then you can extend the Elastic skin. Extended skins only contain your modifications, using the base skin for everything else.

I just updated to the latest (v1.6.x) roundcube and I've discovered that I cannot SEND mail through it.  It will check and read mail great and the updated skins look better than ever.  But it keeps logging this when I try to send a message:
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> PHP Error: SMTP server does not support authentication (POST /cube/?_task=mail&_unlock=loading1773962183086&_framed=1&_lang=en&_action=send)
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> SMTP Error: Authentication failure: SMTP server does not support authentication (Code: ) in /usr/share/roundcube/program/lib/Roundcube/rcube.php on line 1702 (POST /cube/?_task=mail&_unlock=loading1773962183086&_framed=1&_lang=en&_action=send)
postfix/smtpd logs this:
Mar 19 19:16:23 mail postfix/smtpd[37259]: connect from localhost[127.0.0.1]
Mar 19 19:16:23 mail postfix/smtpd[37259]: disconnect from localhost[127.0.0.1] ehlo=1 quit=1 commands=2
my roundcube config.inc.php contains:
$config['smtp_host'] = 'tls://mail.e-visions.com:587';
$config['smtp_helo_host'] = 'mail.e-visions.com';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';the roundcube stmp.log shows
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Connecting to localhost:587...
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 220 mail.e-visions.com ESMTP Postfix
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Send: EHLO mail.electronicvisions.com
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-mail.e-visions.com
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-PIPELINING
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-SIZE 320000000
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-ETRN
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-STARTTLS
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-ENHANCEDSTATUSCODES
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-8BITMIME
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250-DSN
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 250 CHUNKING
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Send: QUIT
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> Recv: 221 2.0.0 Byeand, finally, roundcube's errors.log showed this:
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> PHP Error: SMTP server does not support authentication (POST /cube/?_task=mail&_unlock=loading1773962183086&_framed=1&_lang=en&_action=send)
[19-Mar-2026 19:16:23 -0400]: <lr4s9h9e> SMTP Error: Authentication failure: SMTP server does not support authentication (Code: ) in /usr/share/roundcube/program/lib/Roundcube/rcube.php on line 1702 (POST /cube/?_task=mail&_unlock=loading1773962183086&_framed=1&_lang=en&_action=send)
I am absolutely NOT an expert on this stuff, but the "(Code: )" in the last line above looks suspicious to me (as a developer myself) and as I read the SMTP protocol, the 250 response to the EHLO is success, so why is roundcube giving up?  Or may PHP is giving up?  I'm running
PHP 7.4.3-4ubuntu2.29+esm3 (cli) (built: Jan  7 2026 08:36:14) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3-4ubuntu2.29+esm3, Copyright (c), by Zend Technologiesin case there's a known issue with it.

If there is anything else I can provide to help figure this out and restore the ability to send email!  Thank you!

Hi everyone, I'm setting up a mail server with Roundcube for my new hair salon, and I'm having a bit of trouble with the visual customization. My goal is to adapt the "Elastic" theme so it matches my brand's visual identity, which features a lot of technical designs inspired by Japanese scissors (like the Green Mouse, with fairly slender, ergonomic curves). Is it better to create a separate "skin" folder to override the existing CSS, or should I modify the skins/elastic/ directory directly? I'm worried that a Roundcube update might overwrite my changes if I don't do this properly.