Configuring Roundcube password plugin with Postfix/Dovecot

Question

I am using Roundcube v1.6.0, and I am trying to get the Password Plugin to work properly.

However, I am getting the following error message (in browser):

Could not save new password.
Encryption function missing.

Why does Roundcube want to access my private key?

I am using Postfix/Dovecot configured for virtual users with Postfixadmin.

---

Configuration

/srv/live/php/roundcubemail-1.6.0/logs/errors.log

[13-Dec-2022 11:16:31 -0500]: PHP Error: Password plugin: Failed to execute command: /usr/bin/doveadm pw -s 'CRAM-MD5'.  
Error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 12: ssl_cert: Can't open file /etc/ssl/private/fullchain.pem: Permission denied in /srv/live/php/roundcubemail-1.6.0/plugins/password/password.php on line 747 (POST /?_task=settings&_action=plugin.password-save)

edit: I mistakenly listed the below as the Roundcube main config file; this is the password plugin config

/srv/live/php/roundcubemail-1.6.0/plugins/password

$config['password_driver'] = 'sql';
$config['password_strength_driver'] = 'zxcvbn';
$config['password_zxcvbn_min_score'] = 5;
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 8;
$config['password_minimum_score'] = 0;
$config['password_algorithm'] = 'dovecot';
$config['password_algorithm_options'] = [];
$config['password_algorithm_prefix'] = '';
$config['password_dovecotpw'] = '/usr/bin/doveadm pw';
$config['password_dovecotpw_method'] = 'CRAM-MD5';
$config['password_dovecotpw_with_method'] = true;

/etc/dovecot/dovecot-sql.conf

driver = mysql
connect = host=localhost dbname=postfix_db user=postfix password=<redacted>
default_pass_scheme = MD5-CRYPT
user_query = SELECT '/var/www/mail/vmail/%d/%n' as home, 'maildir:/var/www/mail/vmail/%d/%n' as mail, 2000 AS uid, 2000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username as user, password, '/var/www/mail/vmail/%d/%n' as userdb_home, 'maildir:/var/www/mail/vmail/%d/%n' as userdb_mail, 2000 as userdb_uid, 2000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, ‘%u’ AS user

Thank you so much in advance for your help!

---

sidenote: I was unable to find any posts detailing my exact problem.

I did find two posters with rather similar setups/errors that were solved by changing Dovecot's password schema from MD5 to bcrypt. I am not sure why that might help; but since I was planning to do this anyway please let me know if this is somehow the solution.

Answer 1

It was a long journey, but I fixed it. Ended up going to the Postfixadmin git and finding this issue with this post. The subsequent error Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied was solved thanks to this post

To summarize:

1. Make new dovecot config file

You will first make a new file in /etc/dovecot/ (or wherever your dovecot config files lives).
I call mine ssl-keys.conf. The permissions for this file are 0600 (owner is root:root)

This will contain only two (2) lines that are moved from your primary dovecot config file (presumably dovecot.conf):

ssl-keys.conf

ssl_cert                   = </etc/ssl/private/fullchain.pem
ssl_key                    = </etc/ssl/private/privkey.pem

2. Modify the main dovecot config file

In dovecot.conf, add the following lines

!include_try ssl-keys.conf

service stats {
    unix_listener stats-reader {
        group = vmail
        mode = 0666
    }

    unix_listener stats-writer {
        group = vmail
        mode = 0666
    }
}

Make sure postfixadmin is part of the dovecot/vmail group (where vmail is your mail or virtual user group).

If you have not done so already, remove the lines from dovecot.conf that you added to new file ssl-keys.conf. Leave everything else as is.

3. Modify the dovecot database config file

In your Dovecot database config file (dovecot-sql.conf for me) modify the following:

default_pass_scheme = BLF-CRYPT

In your Roundcube password plugin config file, modify the following (the rest is the same as my OP):

$config['password_dovecotpw_method'] = 'BLF-CRYPT';
$config['password_dovecotpw'] = '/usr/bin/doveadm pw -r 12';