Getting dockerized roundcube to work with dockerized dovecot - plaintext not allowed

Question

I have a server running both roundcube and dovecot, each in their own container. The server is secured with letsencrypt, all http traffic is routed to https. I have a proxy setup to route https to http roundcube, which seems to work fine.

location /webmail/ {
    proxy_pass  http://localhost:8080/;
}

My roundcube docker is started like this:

docker run --name=roundcube -e ROUNDCUBEMAIL_DEFAULT_HOST=mail.blinkyvision.com -d -p "8080:80" roundcube/roundcubemail

I also tell roundcube to use https (defaults.inc.php). All other roundcube options are default:

$config['use_https'] = true;

When I go to the roundcube page, the address does properly show as https://

But when I try to log in, I get an error in my dovecot server:

Jan  8 19:53:15 mail dovecot: imap-login: Login failed: Plaintext authentication disabled: user=<>, rip=172.18.0.1, lip=172.18.0.2, session=<dy43svd+8sOsEgAB>

And the error in the roundcube logs:

172.17.0.1 - - [08/Jan/2019:19:53:03 +0000] "GET / HTTP/1.0" 200 2667 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
errors: <1228866d> IMAP Error: Login failed for sven from 172.17.0.1. LOGIN: Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 196 (POST /?_task=login&_action=login)172.17.0.1 - - [08/Jan/2019:19:53:15 +0000] "POST /?_task=login HTTP/1.0" 200 2935 "https://blinkyvision.com/webmail/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 

I can't think of any other settings that might fix this.

BTW, here are the dovecot settings

root@mail:/# dovecot -n
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.22 (22940fb7)
# OS: Linux 4.15.0-43-generic x86_64 Debian 9.6 ext4
# Hostname: mail.blinkyvision.com
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1:6
hostname = mail.blinkyvision.com
imap_idle_notify_interval = 29 mins
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:/var/mail/%d/%n
mail_privileged_group = docker
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify vnd.dovecot.pipe vnd.dovecot.filter
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/userdb
  driver = passwd-file
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags +vnd.dovecot.pipe +vnd.dovecot.filter
  sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  sieve_plugins = sieve_extprograms
}
postmaster_address = postmaster@blinkyvision.com
protocols = " imap lmtp sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = docker
    mode = 0666
    user = docker
  }
  unix_listener auth-master {
    group = docker
    mode = 0600
    user = docker
  }
  unix_listener auth-userdb {
    group = docker
    mode = 0666
    user = docker
  }
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0660
  }
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.blinkyvision.com/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1
userdb {
  args = username_format=%u /etc/dovecot/userdb
  default_fields = uid=docker gid=docker home=/var/mail/%d/%u
  driver = passwd-file
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}

Answer 1

I don't know almost anything about either Roundcube or Dovecot apart from just having looked them up on Google... but this looks like an IMAP error, not a HTTP one.

It seems like someone or something is trying to log in to an IMAP server without using SSL. On the IMAP service, I mean.

My guess: Roundcube acts a webmail front-end to the actual mail server, Dovecot, to which it connects using IMAP. But this connection is not using SSL, thus Dovecot rejects the login, and Roundcube simply reports the error it's getting from Dovecot. Which has nothing at all to do with how the end user is accessing Roundcube itself (HTTPS).

---

Another quick search turned up this: https://github.com/roundcube/roundcubemail/wiki/Configuration.

It looks like the default IMAP server for Roundcube should be prefixed with "ssl://" or "tls://" if you want to use an encrypted connection. Try changing ROUNDCUBEMAIL_DEFAULT_HOST=mail.blinkyvision.com to ROUNDCUBEMAIL_DEFAULT_HOST=ssl://mail.blinkyvision.com:993.