Roundcube Webmail send all written messages, at writing time, to Google(/NSA) by default

Seen in Roundcube webmail default configuration (same problem than WordPress default), everything that the user type is by default sent by RoundCube to Google for spell checking. This nor good for the industrial spying nor for private life respect as Google and USA renseignements agencies past and present practices tend to use them, as showned by Edward Snowden.

Example for version 1.0.0:

roundcubemail-1.0.0/config/defaults.inc.php

In previous versions, that was in main.inc.php.dist (that display default values), so you need to cp it to main.inc.php and change those values, for obvious security purpose:

roundcubemail-0.x.x/config/main.inc.php.dist

Example of version 1.0.0:

// Make use of the built-in spell checker. It is based on GoogieSpell.
// Since Google only accepts connections over https your PHP installatation
// requires to be compiled with Open SSL support
$config['enable_spellcheck'] = true;

// For a locally installed Nox Spell Server, please specify the URI to call it.
// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72
// Leave empty to use the Google spell checking service, what means
// that the message content will be sent to Google in order to check spelling
$rcmail_config['spellcheck_uri'] = '';
// Enables spellchecker exceptions dictionary.
// Setting it to 'shared' will make the dictionary shared by all users.
$config['spellcheck_dictionary'] = false;

// Set the spell checking engine. Possible values:
// - 'googie'  - the default
// - 'pspell'  - requires the PHP Pspell module and aspell installed
// - 'enchant' - requires the PHP Enchant module
// - 'atd'     - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API
// Since Google shut down their public spell checking service, you need to 
// connect to a Nox Spell Server when using 'googie' here. Therefore specify the 'spellcheck_uri'
$config['spellcheck_engine'] = 'googie';

// For locally installed Nox Spell Server or After the Deadline services,
// please specify the URI to call it.
// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 or
// the After the Deadline package from http://www.afterthedeadline.com.
// Leave empty to use the public API of service.afterthedeadline.com
$config['spellcheck_uri'] = '';

Solution I propose; use enchant lib if possible else pspell, that are all locales API.

For installing packages on Debian and Ubuntu:

apt-get install libenchant aspell aspell-fr aspell-it aspell-de aspell-es aspell-en aspell-pl aspell-hu aspell-pt aspell-no aspell-sv aspell-el aspell-ru aspell-uk

I only put some main European languages here, but there are also Asian, Africans and some regionals languages. I don’t find traditionnal american languages.

After installing this packages, you need to change this line:

$config['spellcheck_engine'] = 'enchant';

If this doesn’t work in your case, you can use pspell instead:

$config['spellcheck_engine'] = 'pspell';

Else you can still disable spellchecking and use your brower one. Until now, Firefox used enchant too, but there are more and more google stuff inside Firefox and even adevrtisement since Firefox 29 :(. Anyway I started to try Midori (version 0.5.8 is really nice after checking integrated plugins in prefs) and GNU Icecast (a Firefox fork with less integrated spies (trojans?) and some bonus) alternatives, as Firefox 29 broken the interface that beaks totally my own configuration (lot of bugs).

$config['enable_spellcheck'] = false;

A good security policy on your server hosting some CMS at least, if you choosen to let 80 open in output, is to block any output to Google networks by default.

You should save this addition permanently in your firewall. On ubuntu for example, you can use the iptables-persistent script that save rules permanently in etc/iptables/.

In cas you didn’t already installed it :

apt-get install iptables-persistent

Then to block the Google networks:

* After the Whois Db, in IPv4 :

iptables -I OUTPUT -d 8.8.8.8 -j DROP
iptables -I OUTPUT -d 50.23.75.44 -j DROP
iptables -I OUTPUT -d 62.149.23.126 -j DROP
iptables -I OUTPUT -d 62.41.27.144 -j DROP
iptables -I OUTPUT -d 66.49.213.213 -j DROP
iptables -I OUTPUT -d 69.41.185.195 -j DROP
iptables -I OUTPUT -d 70.84.145.107 -j DROP
iptables -I OUTPUT -d 74.125.229.52 -j DROP
iptables -I OUTPUT -d 80.190.192.24 -j DROP
iptables -I OUTPUT -d 88.246.115.134 -j DROP
iptables -I OUTPUT -d 123.123.123.123 -j DROP
iptables -I OUTPUT -d 200.222.44.35 -j DROP
iptables -I OUTPUT -d 203.36.226.2 -j DROP
iptables -I OUTPUT -d 209.126.190.70 -j DROP
iptables -I OUTPUT -d 209.187.114.130 -j DROP
iptables -I OUTPUT -d 209.85.227.106 -j DROP
iptables -I OUTPUT -d 211.64.175.66 -j DROP
iptables -I OUTPUT -d 211.64.175.67 -j DROP
iptables -I OUTPUT -d 213.228.0.43 -j DROP
iptables -I OUTPUT -d 216.239.32.21 -j DROP
iptables -I OUTPUT -d 217.107.217.167 -j DROP
iptables -I OUTPUT -d 217.148.161.5 -j DROP

After Google documention about email configuration, their blocks can be obtained by these 3 commands:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

So for IPv4:

_netblocks.google.com	text = "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ~all"

And for IPv6 :

_netblocks2.google.com	text = "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

The you need to add for IPv4:

iptables -I OUTPUT -d 216.239.32.0/19 -j DROP
iptables -I OUTPUT -d 64.233.160.0/19 -j DROP
iptables -I OUTPUT -d 66.249.80.0/20 -j DROP
iptables -I OUTPUT -d 72.14.192.0/18 -j DROP
iptables -I OUTPUT -d 209.85.128.0/17 -j DROP
iptables -I OUTPUT -d 66.102.0.0/20 -j DROP
iptables -I OUTPUT -d 74.125.0.0/16 -j DROP
iptables -I OUTPUT -d 64.18.0.0/20 -j DROP
iptables -I OUTPUT -d 207.126.144.0/20 -j DROP
iptables -I OUTPUT -d 173.194.0.0/16 -j DROP

et then for IPv6:

ip6tables -I OUTPUT -d 2001:4860:4000::/36 -j DROP
ip6tables -I OUTPUT -d 2404:6800:4000::/36 -j DROP
ip6tables -I OUTPUT -d 2607:f8b0:4000::/36 -j DROP
ip6tables -I OUTPUT -d 2800:3f0:4000::/36 -j DROP
ip6tables -I OUTPUT -d 2a00:1450:4000::/36 -j DROP
ip6tables -I OUTPUT -d 2c0f:fb50:4000::/36 -j DROP

Now, don’t forget to save your rules permanently :

service iptables-persistent save