Step-by-Step Guide: How to Enable Roundcube ManageSieve (Email Filters)

kenanng

Hi everyone,

After some investigation, I managed to get the ManageSieve plugin working on Enhance CP for both per-server webmail (mail.customerdomain.com) and global webmail. Sharing here as I couldn't find a complete guide anywhere.

What this enables: Users can create email filter rules in Roundcube (Settings → Filters) — move to folder, forward, delete, etc.

Per-server webmail (mail.customerdomain.com)

SSH into the email server as root.

Find the Roundcube user and path:

grep roundcubelocal /etc/passwd
# Note the home directory e.g. /var/www/{UUID}

Get the container gateway IP:

su roundcubelocal
ip route | grep default
# Note the gateway IP e.g. 10.169.0.2
exit

Open port 4190 in ufw:
```
ufw allow 4190/tcp
```

Enable the plugin:

su roundcubelocal
vim /var/www/{UUID}/public_html/config/config.inc.php
# Add 'managesieve' to plugins array:
# $config['plugins'] = ['password', 'enhance_sso', 'managesieve'];

Create the plugin config:

vim /var/www/{UUID}/public_html/plugins/managesieve/config.inc.php

<?php
$config['managesieve_host'] = 'tls://{gateway_ip}';
$config['managesieve_conn_options'] = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
    )
);

Why tls:// is needed: Roundcube runs inside an Enhance CP container. Plain localhost inside the container doesn't reach the host. The gateway IP is the host's veth interface. TLS is required because Dovecot doesn't advertise SASL auth methods on plain connections.

Global webmail (e.g. globalwebmail.com)

The global webmail uses enhance_login plugin which dynamically resolves the mail server IP per user via the Enhance CP API. ManageSieve needs to follow the same dynamic host.

Open port 4190 in ufw on all email servers:
```
ufw allow 4190/tcp
```
Open port 4190 in your cloud provider's security group for all email servers (inbound).

Via Enhance CP file manager, create plugins/managesieve/config.inc.php:

<?php
$config['managesieve_host'] = 'tls://%h';
$config['managesieve_conn_options'] = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
    )
);

Edit config/config.inc.php and add managesieve to plugins:

$config['plugins'] = ['enhance_login', 'managesieve'];

Why tls://%h: %h is Roundcube's placeholder for the current IMAP host — which enhance_login sets dynamically to the correct mail server IP. Adding tls:// forces STARTTLS so Dovecot advertises SASL auth methods.

Hope this helps someone. Took me many hours to get it right 😂