I am able to fix it and now password change is working on my aapanel 🙂
Here is what I did:
- Let PHP touch the mailbox DB (open_basedir fix).
Added .user.ini in the site root with:
open_basedir=/www/wwwroot/my_domain_email/:/tmp/:/proc/:/www/vmail/
Restarted PHP-FPM so Roundcube (PHP-FPM) could access /www/vmail/postfixadmin.db.
Made the DB writable by web + readable by Dovecot.
Put the web user in the mail group, then:
chown -R www:mail /www/vmail
chmod 2770 /www/vmail (setgid so new files inherit group)
chmod 660 /www/vmail/postfixadmin.db
Pointed Dovecot to the same SQLite that Roundcube updates.
/etc/dovecot/dovecot-sql.conf.ext → driver = sqlite,
connect = /www/vmail/postfixadmin.db
Corrected password_query + user_query for mailbox table.
Aimed Roundcube at a guaranteed IMAP endpoint.
default_host = 'ssl://127.0.0.1', default_port = 993, with relaxed verify options (to bypass the current CN mismatch).
This fixed “Login failed” (IMAP auth mismatch).
Avoided blocked exec() by hashing in PHP.
Password plugin: hash-bcrypt + password_algorithm_prefix = '{BLF-CRYPT}'.
Stored {BLF-CRYPT}$2y$… which Dovecot accepts—no doveadm pw call needed.
Restarted services so changes actually applied.
Reloaded PHP-FPM (to pick up .user.ini and config changes) and restarted Dovecot.
Validated everything end-to-end.
ss -lntp showed IMAP/IMAPS listening.
doveadm auth test user@domain pass succeeded.
Now, roundcube login worked, and the password plugin could write the new hash to SQLite.
