Using Roundcube with cyrus?

Patrick Goetz pgoetz at mail.utexas.edu
Tue Feb 3 08:20:46 EST 2015 

This is a bit off topic, but is anyone using Roundcube webmail with 
cyrus?  I've lost most of my hair trying to get this to work, and 
although it is working now, I'm not sure my fix is the correct way to 
solve the problem.

Context:
I only allow plain text STARTTLS connections to the imap server:
/etc/cyrus/imap.conf:

   allowplaintext: no (as per the default)
   sasl_mech_list: PLAIN
   sasl_pwcheck_method: saslauthd
   tls_cert_file: /etc/ssl/certs/ssl-cert-cyrus.episcopalarchives.org.pem
   tls_cipher_list:  TLSv1+HIGH:!aNull:@STRENGTH


Here is the relevant PHP configuration from Roundcube's config.php.conf:

   $config['default_host'] = 'tls://mail.episcopalarchives.org';
   $config['imap_conn_options'] = array(
       'ssl'  => array(
         'verify_peer'  => true,
         'allow_self_signed' => true,
         'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
         'peer_name' => 'mail.episcopalarchives.org',
         'cafile'   => 
'/etc/ssl/certs/ssl-cert-cyrus.episcopalarchives.org.pem',
       ),
   );


I tried multiple combinations of PHP connection options as documented on 
this page:  http://php.net/manual/en/context.ssl.php

No matter what I changed in the Roundcube PHP configuration, I would 
alway get this error message in the cyrus error logs:

Feb 03 01:06:40 www cyrus/imap[29622]: starttls: TLSv1.2 with cipher 
DHE-RSA-AES128-SHA (128/128 bits new) no authentication
Feb 03 01:06:40 www cyrus/imap[29622]: badlogin: 
www.episcopalarchives.org [216.82.212.230] PLAIN [SASL(-13): 
authentication failure: cross-realm login pgoetz at episcopalarchives.org 
denied]

After a little googling I added this to /etc/cyrus/imapd.conf:

   defaultdomain: episcopalarchives.org
   virtdomains: on


Now I can authenticate through Roundcube, but this solution seems a 
little weird to me, since I'm in particular *not* using virtual domains 
on this server.

Question:  is it really necessary to turn virtual domains on to get PHP 
webmail authentication to work, or is there another way to do this?

Related question:  what are people using for webmail these days?  I was 
shocked to see that php-horde isn't even packaged for Arch linux.

More information about the Info-cyrus mailing list