Roundcube webmail plugins configuration

Check: http://httpd.apache.org/docs/2.2/programs/apachectl.html

apachectl configtest

Being confronted with the very same issue, I did a few ours of Google-Foo to get to the root of the issue: As Gabriel assumed correcty in his answer, it's not the fault of Roundcube – but of the way the password is stored and the encryption works.

Few obvious basics

When talking about CRAM-MD5, MD5, or CRYPT, we're talking about one-way-encryption: A hash is generated. We cannot do that the other way around, deriving the clear-text password from the hash is (apart from brute-forcing) impossible and not realistic for any login-procedure. So with the password stored using one of these hashes, we can only validate it when having it plain-text – which is why setting $rcmail_config['imap_auth_type'] = 'PLAIN' in the roundcube configuration "solves" this.

Options

1. Stick with PLAIN/LOGIN:
   • fine with Roundcube and IMAP on the same server, as long as users connect with HTTPS
   • fine with access from mail clients, as long as the connection is secured (IMAPS/POP3S/SMTPS)
   • a security hole with unencrypted traffic
2. Store the passwords plain-text
   • all kind of auth mechanisms can be used, which is a pro
   • having all your users' passwords plain-text in a file/database is an absolute no-go
3. Store the passwords using CRAM-MD5
   • gives you at least CRAM-MD5, which most clients support
   • still leaves the option of using PLAIN/LOGIN
   • must be supported by your administrative tools
     • some of them might need to revert to 3rd party tools for encryption (e.g. PostfixAdmin uses /usr/sbin/doveadm pw), which makes the clear-text password appear shortly in the process list each time it is invoked
   • other 3rd party tools (plugins/addons etc.) might be an issue

I'm still struggling which path to go – with only #2 definitely ruled-out (I don't want to make presents to potential hackers ;)