RoundCube Webmail

RoundCube Webmail is a platform-independent, web-based, freely distributed, feature-rich and open source application that has been designed from the offset to act as a browser-based webmail client or IMAP (Internet Message Access Protocol) client. It is the favorite webmail client of numerous web hosting services, along with the Horde Groupware Webmail and SquirrelMail projects.

Features at a glance

Key features include a support for IMAP folder management, support for external SMTP (Simple Mail Transfer Protocol) servers, Support for ACL (Access Control Lists), VCard-based full featured address book that offers support for LDAP (Lightweight Directory Access Protocol) connectors and groups, as well as complete support for HTML (HyperText Markup Language) and MIME (Multi-Purpose Internet Mail Extensions) messages.

In addition, the application offers sophisticated privacy protection for its users, which will be able to use multiple sender identities, manage email messages with drag and drop, compose messages with attachments, find contacts from the integrated address book as they type, compose Rich Text/HTML messages, search contacts and messages, use preserved response templates, export and import messages, and forward e-mails with attachments.

Beautiful and attractive interface

RoundCube Webmail features a beautiful and attractive interface that will conquer you from the get-go. It is translated in over 70 languages, supports threaded message listing, spell checking, shared and global IMAP folders, built-in caching, an unlimited number of messages and users, skins through a powerful template system, extensions through a state-of-the-art plugin architecture, and IDNA (Internationalizing Domain Names in Applications).

Under the hood, supported web browser, requirements, and more

The application is written in the widely-used PHP server-side scripting language and its compatible with the Apache, ​nginx, Lighttpd, Hiawatha or Cherokee web servers. It requires a wide range of PHP modules, and has been successfully tested with the latest version of the Mozilla Firefox, Google Chrome, Safari, Opera, SeaMonkey and Internet Explorer web browsers.

What is new in this release:

• Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
• Fix bug where some parts of quota information could have been ignored (#6280)
• Fix bug where some escape sequences in html styles could bypass security checks
• Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names
• Fix bug where only attachments with the same name would be ignored on zip download (#6301)
• Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
• Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
• Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
• Fix bug where some HTML comments could have been malformed by HTML parser (#6333)

What is new in version 1.3.6:

• Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
• Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
• Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
• Enigma: Fix key selection for signing
• Enigma: Enable keypair generation on Internet Explorer 11
• Fix check_request() bypass in places using get_uids() CVE-2018-9846 (#6238)
• Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)

What is new in version :

• Fix a couple of warnings on PHP 7.2 (#6098)
• Fix bug where contacts search could skip some records (#6130)
• Fix possible information leak - add more strict sql error check on user creation (#6125)
• Fix broken long filenames when using imap4d server - workaround server bug (#6048)
• Fix so temp_dir misconfiguration prints an error to the log (#6045)
• Fix untagged COPYUID responses handling - again (#5982)
• Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
• Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
• Fix performance issue when parsing malformed and long Date header (#6087)
• Fix syntax error in mssql.initial.sql (#6097)
• Fix bug where contacts export by selection returned no more than 10 entries (#6103)
• Fix searching contacts by address in LDAP source (#6084)
• Fix X-Frame-Options: ALLOW-FROM support, remove custom click-jacking protection (#6057)

What is new in version 1.3.3:

• Fix decoding of mailto: links with + character in HTML messages (#6020)
• Fix false reporting of failed upgrade in installto.sh (#6019)
• Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
• Fix mangled non-ASCII characters in links in HTML messages (#6028)

What is new in version 1.3.0:

• Update to TinyMCE 4.5.7
• Fix bug where invalid recipients could be silently discarded (#5739)
• Fix conflict with _gid cookie of Google Analytics (#5748)
• Print error from CLI scripts when system/exec function is disabled (#5744)
• Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
• Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
• Fix folders list sorting on Windows - if php-intl is available (#5732)
• Fix addressbook searching by gender (#5757)
• Fix prevention from using % and * characters in folder name (#5762)
• Fix POST parameter reflection in default_charset selector (#5768)
• Enigma: Fix compatibility with assets_dir
• Managesieve: Skip redundant LISTSCRIPTS command
• Fix SQL syntax error on MariaDB 10.2 (#5774)
• Fix bug where zipdownload ignored files with the same name (#5777)
• Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)

What is new in version 1.2.0:

• XSS vulnerability in _mbox argument
• security improvement in contact photo handling
• potential info disclosure from temp directory

What is new in version 1.1.2:

• XSS vulnerability in _mbox argument
• security improvement in contact photo handling
• potential info disclosure from temp directory

What is new in version 1.1.1:

• ACL: Allow other plugins to adjust the list of permissions and groups to edit
• Add possibility to print contact information (of a single contact)
• Add possibility to configure max_allowed_packet value for all database engines (#1490283)
• Improved handling of storage errors after message is sent
• Update to TinyMCE 4.1.9
• Unified request* event arguments handling, added support for _unlock and _action parameters
• Security: Generate random hash for the per-user local storage prefix (#1490279)
• Fix refreshing of drafts list when sending a message which was saved in meantime (#1490238)
• Fix saving/sending emoticon images when assets_dir is set
• Fix PHP fatal error when visiting Vacation interface and there's no sieve script yet (#1490292)
• Fix setting max packet size for DB caches and check packet size also in shared cache
• Fix needless security warning on BMP attachments display (#1490282)
• Fix handling of some improper constructs in format=flowed text as per the RFC3676[4.5] (#1490284)
• Fix performance of rcube_db_mysql::get_variable()
• Fix missing or not up-to-date CATEGORIES entry in vCard export (#1490277)
• Fix fatal errors on systems without mbstring extension or mb_regex_encoding() function (#1490280)
• Fix cursor position on reply below the quote in HTML mode (#1490263)
• Fix so "over quota" errors are displayed also in message compose page
• Fix duplicate entries supression in autocomplete result (#1490290)
• Fix "Non-static method PEAR::isError() should not be called statically" errors (#1490281)
• Fix parsing invalid HTML messages with BOM after (#1490291)
• Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#1490293)
• Fix so localized folder name is displayed in multi-folder search result (#1490243)
• Fix javascript error after creating a folder which is a subfolder of another one (#1490297)
• Fix bug where subject of sent/saved message was removed if mbstring wasn't installed (#1490295)
• Fix missing vcard_attachment icon on messages list (#1490303)
• Fix storing signatures with big images in MySQL database (#1490306)
• Fix Opera browser detection in javascript (#1490307)
• Fix so search filter, scope and fields are reset on folder change
• Fix rows count when messages search fails (#1490266)
• Fix bug where spellchecking in HTML editor do not work after switching editor type more than once (#1490311)
• Fix bug where TinyMCE area height was too small on slow network connection (#1490310)
• Fix backtick character handling in sql queries (#1490312)
• Fix redirect URL for attachments loaded in an iframe when behind a proxy (#1490191)
• Fix menu container references to point to the actual element (#1490313)
• Fix javascripts errors in IE8 - lack of Event.which, focusing a hidden element (#1490318)
• Most important changes in version 1.1.0:
• Allow searching across multiple folders
• Improved support for screen readers and assistive technology using WCAG 2.0 and WAI ARIA standards
• Update to TinyMCE 4.1 to support images in HTML signatures (copy & paste)
• Added namespace filter and folder searching in folder manager
• New config option to disable UI elements/actions
• Stronger password encryption using OpenSSL
• Support for the IMAP SPECIAL-USE extension
• Support for Oracle as database backend
• Manage 3rd party libs with Composer

What is new in version 1.1.0:

• Allow searching across multiple folders
• Improved support for screen readers and assistive technology using WCAG 2.0 and WAI ARIA standards
• Update to TinyMCE 4.1 to support images in HTML signatures (copy & paste)
• Added namespace filter and folder searching in folder manager
• New config option to disable UI elements/actions
• Stronger password encryption using OpenSSL
• Support for the IMAP SPECIAL-USE extension
• Support for Oracle as database backend
• Manage 3rd party libs with Composer

What is new in version 1.0.5:

• Fix download options menu (added by zipdownload plugin) in classic skin (#1490228)
• Fix blocked.gif image usage with assets_dir set
• Fix bug where max_group_members was ignored when adding a new contact (#1490214)
• Hide MDN and DSN options in compose if disabled by admin (#1490221)
• Fix checks based on window.ActiveXObject in IE > 10
• Fix XSS issue in style attribute handling (#1490227)
• Fix bug where Drafts list wasn't updated on draft-save action in new window (#1490225)
• Fix so "set as default" option is hidden if identities_level > 1 (#1490226)
• Fix bug where search was reset after returning from compose visited for reply
• Fix javascript error in "IE 8.0/Tablet PC" browser (#1490210)
• Fix bug where Reply-To address was ignored on reply to messages sent by self (#1490233)
• Fix bug where empty fieldmap config entries caused empty results of ldap search (#1490229)
• Fix bug where drafts list wasn't refreshed after draft message was sent from another window (#1490238)
• Fix keyboard navigation and css in datepicker widget across many Firefox versions

What is new in version 1.1 RC:

• Update jQuery to version 2.1.3
• Improve system security by using optional special URL with security token - use_secure_urls
• Allow to define separate server/path for image/js/css files - assets_url/assets_dir
• Sync vendor folder if exists in source package (#1490145)
• Avoid useless reloading list when resetting search with active filter (#1490057)
• Fix invalid folder selection if clicked while busy (#1490158)
• Fix import of multiple contact email addresses from Outlook-csv format (#1490169)
• Fix drag-n-drop to folders expanded while dragging (#1490157)
• Fix import of multiple contact groups from Google-csv format (#1490159)
• Fix import of contacts with multiple email addresses from Google-csv format (#1490178)
• Fix bugs where CSRF attacks were still possible on some requests
• Fix some rcube_utils::anytodatetime() corner cases with timezone mismatches (#1490163)
• Improve move-to and contact-export button in classic skin (#1490166)
• Fix wrong icon for download button in classic skin
• Fix bug where sent message was saved in Sent folder even if disabled by user (#1490208)

What is new in version 1.0.3:

• Fix insert-signature command in external compose window if opened from inline compose screen (#1490074)
• Initialize HTML editor before restoring a message from localStorage (#1490016)
• Add 'sig_max_lines' config option to default config file (#1490071)
• Add option to specify IMAP connection socket parameters - imap_conn_options (#1489948)
• Add option to set default message list mode - default_list_mode (#1487312)
• Enable contextmenu plugin for TinyMCE editor (#1487014)
• Fix some mime-type to extension mapping checks in Installer (#1489983)
• Fix errors when using localStorage in Safari's private browsing mode (#1489996)
• Fix bug where $Forwarded flag was being set even if server didn't support it (#1490000)
• Fix various iCloud vCard issues, added fallback for external photos (#1489993)
• Fix invalid Content-Type header when send_format_flowed=false (#1489992)
• Fix errors when adding/updating contacts in active search (#1490015)
• Fix incorrect thumbnail rotation with GD and exif orientation data (#1490029)
• Fix contacts list update after adding/deleting/moving a contact (#1490028, #1490033)
• Fix handling of email addresses with quoted domain part (#1490040)
• Fix comm_path update on task switch (#1490041)
• Fix error in MSSQL update script 2013061000.sql (#1490061)
• Fix validation of email addresses with IDNA domains (#1490067)

What is new in version 0.9.5:

• Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
• Fix failing vCard import when email address field contains spaces (#1489386)
• Fix default spell-check configuration after Google suspended their spell service
• Fix iframe onload for upload errors handling (#1489379)
• Fix address matching in Return-Path header on identity selection (#1489374)
• Fix text wrapping issue with long unwrappable lines (#1489371)
• Fixed mispelling: occured -> occurred (#1489366)
• Fixed issues where HTML comments inside style tag would hang Internet Explorer
• Fix setting domain in virtualmin password driver (#1489332)
• Hide Delivery Status Notification option when smtp_server is unset (#1489336)
• Display full attachment name using title attribute when name is too long to display (#1489320)
• Fix attachment icon issue when rare font/language is used (#1489326)
• Fix expanded thread root message styling after refreshing messages list (#1489327)
• Fix issue where From address was removed from Cc and Bcc fields when editing a draft (#1489319)
• Fix error_reporting directive check (#1489323)
• Fix de_DE localization of "About" label in Help plugin (#1489325)