Roundcube mods to config.inc.php

stylnchris · May 11, 2022, 12:52am

consider adding the following to /usr/local/lib/roundcubemail/config/config.inc.php ?

$config['htmleditor'] = 1;   # enables html editor by default
$config['show_images'] = 2;   #displays images by default
$config['session_lifetime'] = 480;  #changes session auto log off to 8 hours ( guess this is debatable) 
$config['login_rate_limit'] = 5;  #rate limits 5 attempts to log into roundcube before banning you for 1 minute
$config['search_mods'] = array('*' => array('subject'=>1, 'from'=>1, 'to'=>1, 'cc'=>1, 'bcc'=>1, 'body'=>1));  # enables search that works much better by default

openletter · May 11, 2022, 2:05am

You could try submitting a PR if you already have the changes figured out.

I’m not sure the benefit of the login rate limit, since MiaB has Fail2Ban and people with bots are likely hitting on the SMTP/IMAP login.

miabuser · May 11, 2022, 9:46am

This is bad practice for privacy reasons and shouldn’t be the default. But users can enable it in the settings of Roundcube on a per account / user basis.

stylnchris · May 11, 2022, 1:21pm

I respectfully disagree. I think it makes the webmail client feel ancient. Most modern webmail loads images and html by default. Maybe this is just something I’ve gotten used to. Id really like to hear from others though… To me I feel like it should be the other way around, this should be the default behavior and if you want to set it for not doing this by default then that should be the exception.

I realize that this project has always had it setup the other way so moving the user base could be an issue if more individuals believe it should be your way, which is why I doubt submitting a PR would get me a great result.

I am curious though… how many people would expect HTML and Images to load by default… Please reply.

openletter · May 11, 2022, 1:25pm

I think the setting makes it default to not private and other webmail systems that are default not private are equally undesirable. It should be user choice, because the remote content is explicitly tracking tools.

S4_Hosting · May 12, 2022, 5:18am

Security and bandwidth wise I think that images should probably not be loaded by default and that is fine.

The html editor is a different thing, I think that probably should be on by default because it’s just a more useful writing experience and doesn’t come with any big issues attached - I don’t think that there are many people out there nowadays who can only receive plain text mails.