It was sent to info at my domain running RoundCube, which makes me think they might be scanning for instances.

Subject: Account Notice: Terms Update Required to Avoid Service Interruption
Date: Thu, 5 Feb 2026 20:31:12 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0B49_01DC96DE.5E1B0F10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

------=_NextPart_000_0B49_01DC96DE.5E1B0F10
Content-Type: text/plain;
    charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Important Notice About Your Account
Dear user,
If you do not accept the updated terms and conditions before February, 7, access to your Roundcube mailbox and related email services may be automatically suspended. After that date you may no longer be able to:
Send or receive emails Access contacts, calendar, or stored files
Use connected email apps (mobile clients, IMAP/POP3, etc.)
The acceptance process usually takes less than a minute.
Review and Accept Terms This message was sent by the Roundcube administration team. To stop receiving policy notifications, update your email preferences.

It contains a link to rdnundcube.com.

1.7 supports PHP >=8.1 <=8.5. What method did you use to perform your upgrade? It sounds like you are missing the symfony/polyfill-php85 library. However that has been needed since the first release candidate so it's odd that you are only having problems now.

I've just destroyed my dev instance of Roundcube 1.7 RC 2 by installing the security update 1.7 RC 3 as it is using functions like array_last(array $array) which are only available in PHP 8.5 and higher. Please include this into the Changelog as to me this seems to be undocumented.

We just published the third release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two security issues, and contains a few more fixes for several issues.

The security fixes are:

• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

For the full changelog please see the release page.

The tarballs can be downloaded via roundcube.net.

Or directly from the release page at github.com.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

Source: https://roundcube.net/news/2026/02/09/roundcube-1.7-rc3-released
Get it Now: https://roundcube.net/download

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities.

Security fixes

• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.13 and 1.5.13.

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.

Source: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
Get it Now: https://roundcube.net/download

I would consider Roundcube stable and easy to configure. It can get complex if your looking to add things like calendars, contact syncing, LDAP, Filters, etc. since all of those things are very environment specific.

I've run Roundcube on very small servers with any issues, as long as you run PHP it doesn't take up many resources.

Hi team,
I'm working on a personal mail server project and I'm hesitating to go with Roundcube for webmail. It seems to be the gold standard, but I'm afraid of getting bogged down in a nightmare installation. Honestly, guys, how stable is it? I'm looking for something solid that runs without me having to spend all night on it. I've seen links to support forums for netlinking and visibility, but I'm really interested in the pure technical side of things. Does anyone run this on a small configuration? Is it smooth, or does it slow down when there's a bit of traffic? I don't want to set up a complicated system just to read three messages.

Quote from: SKaero on January 28, 2026, 12:11:04 AMIt would need to be done from a API call from the front end code in order for the message to be shown. Can you share more of the code so we can have a better idea how the code is running?

I don't think I can. I'm trying to make small changes to code that isn't mine, so I don't think I can share any more of it.

I'll keep digging though the code of various plugins and may be able to find some more clues as to how to do this.

Quote from: senaiboy on February 01, 2026, 10:28:24 PM1. Preferences > Virus Protection
2. Preferences > Spam Settings
3. Preferences > Blacklisted addresses
4. Preferences > Whitelisted addresses

I don't see any of those in my cPanel install of Roundcube so I think those maybe custom to your cPanel install. If you have control of the server then you could look at the installed files to see what they are but otherwise I'd have to guess that there something custom.

Apologies for hijacking the post, we are similarly migrating from cpanel's Roundcube to one hosted on our own server. Still unable to find several settings:

1. Preferences > Virus Protection
2. Preferences > Spam Settings
3. Preferences > Blacklisted addresses
4. Preferences > Whitelisted addresses

Are these all from a third party plugin? Have had a look at the installed plugins, no clue from there where these might have come from.