diff --git a/README.md b/README.md
index 766b7164..c5dfb496 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Then run the post-install checklist command to see what you need to do next:
 
 In addition to above once finished you need to:
 
-    Goto https://<your domain>.<tld>, and make a admin account. By default you don't need to edit the advanced settings
+    Goto https://<your domain>.<tld>/cloud, and make an ownCloud admin account. By default you don't need to edit the advanced settings
     Once logged in, click the "Files" link beside the cloud in the top left corner and then click Apps button
     Goto the "External user support" and activate it, do the same thing with the mail app
 
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 20be9e26..9f83d014 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -2,10 +2,6 @@
 ##       Do not edit this file. It will be replaced each time
 ##       Mail-in-a-Box needs up update the web configuration.
 
-upstream php-fpm {
-    server unix:/var/run/php5-fpm.sock;
-}
-
 # Redirect all HTTP to HTTPS.
 server {
 	listen 80;
@@ -26,89 +22,84 @@ server {
 	ssl_certificate_key $SSL_KEY;
 	include /etc/nginx/nginx-ssl.conf;
 
-	# TODO: This is bad, we shouldnt hack it like this.
-	root /usr/local/lib/owncloud;
+	# Expose this directory as static files.
+	root $ROOT;
 	index index.html index.htm;
 
-	# ownCloud configuration
-	client_max_body_size 16G; # set max upload size
-	fastcgi_buffers 64 4K;
-
-	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
-	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
-	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
-
-	index index.php;
-	error_page 403 /core/templates/403.php;
-	error_page 404 /core/templates/404.php;
-
-	location = /robots.txt {
-		allow all;
-		log_not_found off;
-		access_log off;
+	# Roundcube Webmail configuration.
+	rewrite ^/mail$ /mail/ redirect;
+	rewrite ^/mail/$ /mail/index.php;
+	location /mail/ {
+		index index.php;
+		alias /usr/local/lib/roundcubemail/;
+	}
+	location ~ /mail/config/.* {
+		# A ~-style location is needed to give this precedence over the next block.
+		return 403;
+	}
+	location ~ /mail/.*\.php {
+		# note: ~ has precendence over a regular location block
+		include fastcgi_params;
+		fastcgi_split_path_info ^/mail(/.*)()$;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
+		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
+		client_max_body_size 20M;
 	}
 
-	location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
-		deny all;
+	# ownCloud configuration.
+	rewrite ^/caldav(.*)$ /cloud/remote.php/caldav$1 redirect;
+	rewrite ^/carddav(.*)$ /cloud/remote.php/carddav$1 redirect;
+	rewrite ^/webdav(.*)$ /cloud/remote.php/webdav$1 redirect;
+	rewrite ^/cloud$ /cloud/ redirect;
+	rewrite ^/cloud/$ /cloud/index.php;
+	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
+	location /cloud/ {
+		alias /usr/local/lib/owncloud/;
+		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+			deny all;
+	 	}
 	}
-
-	location / {
-		# The following 2 rules are only needed with webfinger
-		rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-		rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-		rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
-		rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
-
-		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
-		try_files $uri $uri/ index.php;
-	}
-
-	location ~ ^(.+?\.php)(/.*)?$ {
-		try_files $1 = 404;
-
-		# PHP specific configuration to deal with large file uploads
+	location ~ ^(/cloud)(/.+\.php)(/.*)?$ {
+		# note: ~ has precendence over a regular location block
+		include fastcgi_params;
 		fastcgi_param PHP_VALUE "upload_max_filesize = 16G";
 		fastcgi_param PHP_VALUE "post_max_size = 16G";
 		fastcgi_param PHP_VALUE "output_buffering = 16384";
 		fastcgi_param PHP_VALUE "memory_limit = 512M";
-
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME $document_root$1;
-		fastcgi_param PATH_INFO $2;
-		fastcgi_param HTTPS on;
+		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
+		fastcgi_param SCRIPT_NAME $1$2;
+		fastcgi_param PATH_INFO $3;
 		fastcgi_pass php-fpm;
+		error_page 403 /cloud/core/templates/403.php;
+		error_page 404 /cloud/core/templates/404.php;
+		client_max_body_size 1G;
+		fastcgi_buffers 64 4K;
 	}
-
-	# Optional: set long EXPIRES header on static assets
-		location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
-		expires 30d;
-		# Optional: Don't log access to assets
-		access_log off;
-	}
+	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
+	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
+	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
+	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
 
 	# Webfinger configuration.
-	# TODO: fix this for owncloud
 	location = /.well-known/webfinger {
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/local/bin/mailinabox-webfinger.php;
-		fastcgi_pass php-fpm;
+		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
 	}
 
 	# Microsoft Exchange autodiscover.xml for email
 	location /autodiscover/autodiscover.xml {
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/local/bin/mailinabox-exchange-autodiscover.php;
-		fastcgi_pass php-fpm;
+		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
 	}
 
 	# Z-Push (Microsoft Exchange ActiveSync)
 	location /Microsoft-Server-ActiveSync {
-		include /etc/nginx/fastcgi_params;
-		fastcgi_param PHP_VALUE "include_path=/usr/share/awl/inc";
+	        include /etc/nginx/fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php;
-		fastcgi_pass php-fpm;
+		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
 	}
 
 	# ADDITIONAL DIRECTIVES HERE
diff --git a/conf/zpush/backend_caldav.php b/conf/zpush/backend_caldav.php
index ebe27ac2..309a1813 100644
--- a/conf/zpush/backend_caldav.php
+++ b/conf/zpush/backend_caldav.php
@@ -7,7 +7,7 @@
 
 define('CALDAV_SERVER', 'https://localhost');
 define('CALDAV_PORT', '443');
-define('CALDAV_PATH', '/remote.php/caldav/calendars/%u/');
+define('CALDAV_PATH', '/caldav/calendars/%u/');
 define('CALDAV_PERSONAL', '');
 
 // If the CalDAV server supports the sync-collection operation
diff --git a/conf/zpush/backend_carddav.php b/conf/zpush/backend_carddav.php
index 4dd1a741..f3e89371 100644
--- a/conf/zpush/backend_carddav.php
+++ b/conf/zpush/backend_carddav.php
@@ -9,9 +9,9 @@
 define('CARDDAV_PROTOCOL', 'https'); /* http or https */
 define('CARDDAV_SERVER', 'localhost');
 define('CARDDAV_PORT', '443');
-define('CARDDAV_PATH', '/remote.php/carddav/addressbooks/%u/');
-define('CARDDAV_DEFAULT_PATH', '/remote.php/carddav/addressbooks/%u/contacts/'); /* subdirectory of the main path */
-define('CARDDAV_GAL_PATH', '/caldav.php/%d/GAL/'); /* readonly, searchable, not syncd */
+define('CARDDAV_PATH', '/carddav/addressbooks/%u/');
+define('CARDDAV_DEFAULT_PATH', '/carddav/addressbooks/%u/contacts/'); /* subdirectory of the main path */
+define('CARDDAV_GAL_PATH', ''); /* readonly, searchable, not syncd */
 define('CARDDAV_GAL_MIN_LENGTH', 5);
 define('CARDDAV_CONTACTS_FOLDER_NAME', '%u Addressbook');
 
diff --git a/setup/start.sh b/setup/start.sh
index 39987401..469f6162 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -273,6 +273,7 @@ EOF
 . setup/dkim.sh
 . setup/spamassassin.sh
 . setup/web.sh
+. setup/webmail.sh
 . setup/owncloud.sh
 . setup/zpush.sh
 . setup/management.sh
diff --git a/setup/webmail.sh b/setup/webmail.sh
new file mode 100755
index 00000000..fbb489f4
--- /dev/null
+++ b/setup/webmail.sh
@@ -0,0 +1,103 @@
+# Webmail: Using roundcube
+##########################
+
+source setup/functions.sh # load our functions
+source /etc/mailinabox.conf # load global vars
+
+# Ubuntu's roundcube-core has dependencies on Apache & MySQL, which we don't want, so we can't
+# install roundcube directly via apt-get install.
+#
+# Additionally, the Roundcube shipped with Ubuntu is consistently out of date.
+#
+# And it's packaged incorrectly --- it seems to be missing a directory of files.
+#
+# So we'll use apt-get to manually install the dependencies of roundcube that we know we need,
+# and then we'll manually install roundcube from source.
+
+# These dependencies are from 'apt-cache showpkg roundcube-core'.
+apt_install \
+	dbconfig-common \
+	php5 php5-sqlite php5-mcrypt php5-intl php5-json php5-common php-auth php-net-smtp php-net-socket php-net-sieve php-mail-mime php-crypt-gpg php5-gd php5-pspell \
+	tinymce libjs-jquery libjs-jquery-mousewheel libmagic1
+
+# We used to install Roundcube from Ubuntu, without triggering the dependencies
+# on Apache and MySQL, by downloading the debs and installing them manually.
+# Now that we're beyond that, get rid of those debs before installing from source.
+apt-get purge -qq -y roundcube*
+
+# Install Roundcube from source if it is not already present.
+# TODO: Check version?
+if [ ! -d /usr/local/lib/roundcubemail ]; then
+	rm -f /tmp/roundcube.tgz
+	wget -qO /tmp/roundcube.tgz http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/1.0.1/roundcubemail-1.0.1.tar.gz
+	tar -C /usr/local/lib -zxf /tmp/roundcube.tgz
+	mv /usr/local/lib/roundcubemail-1.0.1/ /usr/local/lib/roundcubemail
+	rm -f /tmp/roundcube.tgz
+fi
+
+# Generate a safe 24-character secret key of safe characters.
+SECRET_KEY=$(dd if=/dev/random bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1)
+
+# Create a configuration file.
+#
+# For security, temp and log files are not stored in the default locations
+# which are inside the roundcube sources directory. We put them instead
+# in normal places.
+cat - > /usr/local/lib/roundcubemail/config/config.inc.php <<EOF;
+<?php
+/*
+ * Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
+ */
+\$config = array();
+\$config['log_dir'] = '/var/log/roundcubemail/';
+\$config['temp_dir'] = '/tmp/roundcubemail/';
+\$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
+\$config['default_host'] = 'ssl://localhost';
+\$config['default_port'] = 993;
+\$config['imap_timeout'] = 15;
+\$config['smtp_server'] = 'tls://localhost';
+\$config['smtp_port'] = 587;
+\$config['smtp_user'] = '%u';
+\$config['smtp_pass'] = '%p';
+\$config['support_url'] = 'https://mailinabox.email/';
+\$config['product_name'] = 'Mail-in-a-Box/Roundcube Webmail';
+\$config['des_key'] = '$SECRET_KEY';
+\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve');
+\$config['skin'] = 'classic';
+\$config['login_autocomplete'] = 2;
+\$config['password_charset'] = 'UTF-8';
+\$config['junk_mbox'] = 'Spam';
+?>
+EOF
+
+# Create writable directories.
+mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+
+# Password changing plugin settings
+# The config comes empty by default, so we need the settings 
+# we're not planning to change in config.inc.dist...
+cp /usr/local/lib/roundcubemail/plugins/password/config.inc.php.dist \
+	/usr/local/lib/roundcubemail/plugins/password/config.inc.php
+
+tools/editconf.py /usr/local/lib/roundcubemail/plugins/password/config.inc.php \
+	"\$config['password_minimum_length']=6;" \
+	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
+	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
+	"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
+	"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
+	"\$config['password_dovecotpw_with_method']=true;"
+
+# so PHP can use doveadm, for the password changing plugin
+usermod -a -G dovecot www-data
+
+# set permissions so that PHP can use users.sqlite
+# could use dovecot instead of www-data, but not sure it matters
+chown root.www-data $STORAGE_ROOT/mail
+chmod 775 $STORAGE_ROOT/mail
+chown root.www-data $STORAGE_ROOT/mail/users.sqlite 
+chmod 664 $STORAGE_ROOT/mail/users.sqlite 
+
+# Enable PHP modules.
+php5enmod mcrypt
+restart_service php5-fpm