From b3600f2a3728ca1d70c734adb92c4cbbdcbbf5dd Mon Sep 17 00:00:00 2001
From: mifi <badmf@mifi.dev>
Date: Thu, 12 Feb 2026 19:33:54 -0300
Subject: [PATCH] Initial commit

---
 .dockerignore                      |   9 +
 .env.example                       |  32 ++
 .gitignore                         |   6 +
 .prettierignore                    |   2 +
 .prettierrc                        |  15 +
 Dockerfile                         |  13 +
 README.md                          |  69 ++++
 config/config.inc.php              |  60 ++++
 config/config.smtp.inc.php         |  10 +
 docker-compose.yml                 | 100 ++++++
 package.json                       |  21 ++
 plugins/enigma/config.inc.php      |  80 +++++
 plugins/managesieve/config.inc.php | 130 +++++++
 plugins/password/config.inc.php    | 552 +++++++++++++++++++++++++++++
 14 files changed, 1099 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 .env.example
 create mode 100644 .gitignore
 create mode 100644 .prettierignore
 create mode 100644 .prettierrc
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 config/config.inc.php
 create mode 100644 config/config.smtp.inc.php
 create mode 100644 docker-compose.yml
 create mode 100644 package.json
 create mode 100644 plugins/enigma/config.inc.php
 create mode 100644 plugins/managesieve/config.inc.php
 create mode 100644 plugins/password/config.inc.php

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..20b13a7
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,9 @@
+# Avoid sending secrets or dev tooling into the build context
+# config/ and plugins/ are included (no secrets; PHP configs read from ENV at runtime)
+node_modules
+.git
+.prettierrc
+.prettierignore
+*.md
+.env
+.env.*
diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..886a51f
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,32 @@
+# Roundcube stack – copy to .env and fill in values.
+# Required for custom image: set image to git.mifi.dev/mifi-holdings/mail-roundcube (built by Woodpecker).
+
+# Site / deployment
+SITE_DOMAIN=webmail.example.com
+DB_ROOT_PASSWORD=
+DB_NAME=roundcubemail
+DB_USER=roundcubemail
+DB_PASSWORD=
+
+# Roundcube main (IMAP/SMTP)
+ROUNDCUBEMAIL_DEFAULT_HOST=ssl://mail.example.com
+ROUNDCUBEMAIL_DEFAULT_PORT=993
+ROUNDCUBEMAIL_SMTP_SERVER=ssl://mail.example.com
+ROUNDCUBEMAIL_SMTP_PORT=587
+ROUNDCUBEMAIL_PLUGINS=acl,additional_message_headers,archive,attachment_reminder,autologon,debug_logger,emoticons,enigma,filesystem_attachments,help,hide_blockquote,http_authentication,identicon,identity_select,jqueryui,krb_authentication,managesieve,markasjunk,new_user_dialog,new_user_identity,newmail_notifier,password,reconnect,show_additional_headers,squirrelmail_usercopy,subscriptions_option,userinfo,vcard_attachments,virtuser_file,virtuser_query,zipdownload
+ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=50M
+
+# Secrets (required – config files read these at runtime)
+ROUNDCUBEMAIL_DES_KEY=                            # Exactly 24 characters; used to encrypt session passwords
+ROUNDCUBEMAIL_SUPPORT_URL=mailto:admin@example.com
+
+# Plugin: managesieve (Sieve server host)
+ROUNDCUBEMAIL_MANAGESIEVE_HOST=tls://mail.example.com:4190
+
+# Plugin: password (Postfix/mailbox DB for password changes)
+ROUNDCUBEMAIL_PASSWORD_DB_USER=
+ROUNDCUBEMAIL_PASSWORD_DB_PASSWORD=
+ROUNDCUBEMAIL_PASSWORD_DB_NAME=postfix
+
+# Optional: pin image tag (default: latest)
+# IMAGE_TAG=latest
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..048d79a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+.env
+.env.*
+!.env.example
+
+node_modules
+pnpm-lock.yaml
diff --git a/.prettierignore b/.prettierignore
new file mode 100644
index 0000000..ee89780
--- /dev/null
+++ b/.prettierignore
@@ -0,0 +1,2 @@
+node_modules
+pnpm-lock.yaml
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 0000000..85b0780
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,15 @@
+{
+  "semi": false,
+  "singleQuote": true,
+  "tabWidth": 2,
+  "trailingComma": "none",
+  "overrides": [
+    {
+      "files": "*.yml",
+      "options": {
+        "tabWidth": 4,
+        "proseWrap": "preserve"
+      }
+    }
+  ]
+}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..6ac1fdc
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,13 @@
+# Custom Roundcube image: official image + repo config files (secrets from env at runtime).
+ARG RC_VERSION=latest
+FROM roundcube/roundcubemail:${RC_VERSION}
+
+# Main config (config.inc.php, config.smtp.inc.php)
+COPY config/*.php /var/roundcube/config/
+
+# Plugin configs
+COPY plugins/enigma/config.inc.php /var/www/html/plugins/enigma/config.inc.php
+COPY plugins/managesieve/config.inc.php /var/www/html/plugins/managesieve/config.inc.php
+COPY plugins/password/config.inc.php /var/www/html/plugins/password/config.inc.php
+
+# Official image ENTRYPOINT/CMD unchanged; no .env or secrets copied
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6fd89ab
--- /dev/null
+++ b/README.md
@@ -0,0 +1,69 @@
+# Roundcube Webmail (Docker)
+
+Docker-based Roundcube Webmail stack with config baked into a custom image and secrets supplied via environment variables. Suitable for deployment behind a reverse proxy (e.g. Traefik) with a private container registry and CI/CD.
+
+## Architecture
+
+- **Custom image**: Built from the official [Roundcube image](https://hub.docker.com/r/roundcube/roundcubemail). The Dockerfile copies this repo’s config files into the image; no config is mounted from the host at runtime.
+- **Secrets and per-deployment values**: All sensitive and site-specific settings (DB credentials, session key, IMAP/SMTP hosts, plugin DSNs, etc.) are read from environment variables at runtime. The image is safe to push to a registry.
+- **Stack**:
+  - **webmail**: Roundcube (custom image). Connects to MariaDB for Roundcube DB and, if using the password plugin, to a separate DB (e.g. Postfix/mailbox) via a Unix socket. Enigma plugin uses a named volume for GPG keys.
+  - **db**: MariaDB for Roundcube’s own database (user prefs, etc.).
+- **Networks**: Internal `backend` (webmail ↔ db) and external `traefik` for the reverse proxy. The compose file assumes Traefik and a `traefik` network already exist.
+
+## Repository layout
+
+| Path                   | Purpose                                                                                           |
+| ---------------------- | ------------------------------------------------------------------------------------------------- |
+| `config/`              | Main Roundcube config (`config.inc.php`, `config.smtp.inc.php`). Values are read from env in PHP. |
+| `plugins/enigma/`      | Enigma (PGP) plugin config.                                                                       |
+| `plugins/managesieve/` | Managesieve plugin config; host from env.                                                         |
+| `plugins/password/`    | Password-change plugin config; DB DSN built from env.                                             |
+| `docker-compose.yml`   | Stack definition; webmail image points at the image produced by the build pipeline.               |
+| `Dockerfile`           | Extends official Roundcube image and copies the config files above.                               |
+| `.env.example`         | Template for required and optional env vars (no secrets).                                         |
+
+## Environment variables
+
+Copy `.env.example` to `.env` and set values. Required for a working stack:
+
+- **Database (Roundcube)**: `DB_ROOT_PASSWORD`, `DB_PASSWORD`, `DB_NAME`, `DB_USER` (and thus `ROUNDCUBEMAIL_DB_*` used by the app).
+- **IMAP/SMTP**: `ROUNDCUBEMAIL_DEFAULT_HOST`, `ROUNDCUBEMAIL_DEFAULT_PORT`, `ROUNDCUBEMAIL_SMTP_SERVER`, `ROUNDCUBEMAIL_SMTP_PORT`.
+- **Session key**: `ROUNDCUBEMAIL_DES_KEY` — must be exactly 24 characters; used to encrypt stored IMAP passwords in the session.
+
+Optional / plugin-related:
+
+- `ROUNDCUBEMAIL_SUPPORT_URL`, `ROUNDCUBEMAIL_PLUGINS`, `ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE`.
+- **Managesieve**: `ROUNDCUBEMAIL_MANAGESIEVE_HOST` (e.g. `tls://mail.example.com:4190`).
+- **Password plugin**: `ROUNDCUBEMAIL_PASSWORD_DB_USER`, `ROUNDCUBEMAIL_PASSWORD_DB_PASSWORD`, `ROUNDCUBEMAIL_PASSWORD_DB_NAME` (DB used for mailbox password changes).
+- **Image tag**: `IMAGE_TAG` (default `latest`) to pin the webmail image.
+
+The webmail service expects the host’s MySQL socket at `/var/run/mysqld/mysqld.sock` for the password-plugin DB; adjust the volume mount if your socket path differs.
+
+## Docker Compose and Traefik
+
+- **Image**: The `webmail` service uses a single image tag (e.g. `your-registry/your-org/mail-roundcube:latest`). Set the image name in `docker-compose.yml` to match the image built and pushed by your CI.
+- **Traefik labels**: The sample labels in `docker-compose.yml` are for TLS and host-based routing. Replace the `Host(...)` rules and any other host-specific labels with your own hostnames and middleware.
+- **Volumes**: `roundcube-keys` is used by the Enigma plugin and is marked `external: true`; create it (or adjust) before first deploy. `temp` is for Roundcube temp files.
+
+## CI/CD (Woodpecker)
+
+Three pipelines:
+
+1. **ci** — Lint and format (Prettier, yamllint). Runs on pull requests and pushes to the default branch.
+2. **build** — Builds the Docker image and pushes it to your container registry. Depends on `ci`. Configure registry URL and repo name in the pipeline file and in `package.json` scripts if you use them locally.
+3. **deploy** — Triggers a webhook (e.g. reverse-proxy or stack redeploy). Depends on `ci` and `build` so the new image is pushed before the webhook runs.
+
+Required secrets (in your CI): registry login, webhook URL, and any notification tokens you use. Do not commit `.env` or real secrets; use CI secret storage.
+
+## Local build and run
+
+- **Build image**: From the repo root, run your usual Docker build (e.g. `docker build -t your-registry/your-org/mail-roundcube:latest .`). The `package.json` scripts are optional helpers; point them at your registry if desired.
+- **Run stack**: Ensure `.env` is populated, create the external volume for Enigma if needed, then `docker compose up -d`. For the password plugin to work, the host must run MySQL/MariaDB and expose the socket at `/var/run/mysqld/mysqld.sock`, or you must change the webmail volume and plugin config accordingly.
+
+## Security notes
+
+- Never commit `.env` or any file containing real credentials. `.env.example` is a template only.
+- The 24-character `ROUNDCUBEMAIL_DES_KEY` must be unique and kept secret; it encrypts session data.
+- Keep registry and CI credentials in your CI secret store, not in the repo.
+- Traefik labels in the repo are examples; replace hostnames and middleware names with your own before use.
diff --git a/config/config.inc.php b/config/config.inc.php
new file mode 100644
index 0000000..db4d0ae
--- /dev/null
+++ b/config/config.inc.php
@@ -0,0 +1,60 @@
+<?php
+
+/* Local configuration for Roundcube Webmail */
+/* Secrets and site-specific values are read from environment variables at runtime. */
+
+// ----------------------------------
+// SQL DATABASE (from env)
+// ----------------------------------
+$dbType = getenv('ROUNDCUBEMAIL_DB_TYPE') ?: 'mysql';
+$dbHost = getenv('ROUNDCUBEMAIL_DB_HOST') ?: 'db';
+$dbName = getenv('ROUNDCUBEMAIL_DB_NAME') ?: 'roundcubemail';
+$dbUser = getenv('ROUNDCUBEMAIL_DB_USER') ?: 'roundcubemail';
+$dbPass = getenv('ROUNDCUBEMAIL_DB_PASSWORD');
+if ($dbPass !== false && $dbPass !== '') {
+    $config['db_dsnw'] = $dbType . '://' . $dbUser . ':' . rawurlencode($dbPass) . '@' . $dbHost . '/' . $dbName;
+}
+
+// IMAP host (from env)
+$imapHost = getenv('ROUNDCUBEMAIL_DEFAULT_IMAP_HOST');
+$imapPort = getenv('ROUNDCUBEMAIL_DEFAULT_IMAP_PORT');
+$config['imap_host'] = ($imapHost !== false && $imapHost !== '') ? ($imapPort ? $imapHost . ':' . $imapPort : $imapHost) : 'localhost';
+
+// SMTP server host (from env)
+$smtpServer = getenv('ROUNDCUBEMAIL_DEFAULT_SMTP_SERVER');
+$smtpPort = getenv('ROUNDCUBEMAIL_DEFAULT_SMTP_PORT');
+$config['smtp_host'] = ($smtpServer !== false && $smtpServer !== '') ? ($smtpPort ? $smtpServer . ':' . $smtpPort : $smtpServer) : 'localhost';
+
+// Support URL (from env)
+$supportUrl = getenv('ROUNDCUBEMAIL_SUPPORT_URL');
+if ($supportUrl !== false && $supportUrl !== '') {
+    $config['support_url'] = $supportUrl;
+}
+
+// Location of temporary saved files
+$config['temp_dir'] = '/tmp/roundcube-temp';
+
+// Session encryption key (from env; must be exactly 24 characters)
+$desKey = getenv('ROUNDCUBEMAIL_DES_KEY');
+$config['des_key'] = ($desKey !== false && strlen($desKey) === 24) ? $desKey : 'rcmail-change-me-24ch';
+
+// Specifies the full path of the original HTTP request
+$config['request_path'] = '/';
+
+// HTTPS
+$config['use_https'] = true;
+
+// LOGGING
+$config['log_driver'] = 'stdout';
+$config['session_debug'] = false;
+$config['sql_debug'] = false;
+$config['imap_debug'] = true;
+$config['smtp_debug'] = true;
+
+// List of active plugins (from env, comma-separated)
+$pluginsEnv = getenv('ROUNDCUBEMAIL_PLUGINS');
+if ($pluginsEnv !== false && $pluginsEnv !== '') {
+    $config['plugins'] = array_map('trim', explode(',', $pluginsEnv));
+} else {
+    $config['plugins'] = ['acl', 'additional_message_headers', 'archive', 'attachment_reminder', 'autologon', 'debug_logger', 'emoticons', 'enigma', 'filesystem_attachments', 'help', 'hide_blockquote', 'http_authentication', 'identicon', 'identity_select', 'jqueryui', 'krb_authentication', 'managesieve', 'markasjunk', 'new_user_dialog', 'new_user_identity', 'newmail_notifier', 'password', 'reconnect', 'show_additional_headers', 'squirrelmail_usercopy', 'subscriptions_option', 'userinfo', 'vcard_attachments', 'virtuser_file', 'virtuser_query', 'zipdownload'];
+}
diff --git a/config/config.smtp.inc.php b/config/config.smtp.inc.php
new file mode 100644
index 0000000..62d897d
--- /dev/null
+++ b/config/config.smtp.inc.php
@@ -0,0 +1,10 @@
+<?php
+// SMTP username (if required) if you use %u as the username Roundcube
+// will use the current username for login
+$config['smtp_user'] = '%u';
+
+// SMTP password (if required) if you use %p as the password Roundcube
+// will use the current user's password for login
+$config['smtp_pass'] = '%p';
+//include(__DIR__ . '/config.docker.inc.php');
+
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..eb83fd8
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,100 @@
+services:
+    db:
+        image: mariadb:${MYSQL_VERSION:-latest}
+        container_name: roundcube-db
+        environment:
+            MARIADB_ROOT_PASSWORD: ${DB_ROOT_PASSWORD:? DB_PASSWORD is not set}
+            MARIADB_ROOT_HOST: localhost
+            MARIADB_MYSQL_LOCALHOST_USER: true
+            MARIADB_DATABASE: ${DB_NAME:-roundcubemail}
+            MARIADB_USER: ${DB_USER:-roundcubemail}
+            MARIADB_PASSWORD: ${DB_PASSWORD}
+        healthcheck:
+            test:
+                [
+                    'CMD',
+                    '/usr/local/bin/healthcheck.sh',
+                    '--su-mysql',
+                    '--connect',
+                    '--innodb_initialized'
+                ]
+            retries: 10
+            start_period: 20s
+        networks:
+            - backend
+        restart: unless-stopped
+        volumes:
+            - data:/var/lib/mysql
+
+    webmail:
+        image: git.mifi.dev/mifi-holdings/mail-roundcube:${IMAGE_TAG:-latest}
+        container_name: roundcube-webmail
+        environment:
+            ROUNDCUBEMAIL_DB_TYPE: ${DB_TYPE:-mysql}
+            ROUNDCUBEMAIL_DB_HOST: db
+            ROUNDCUBEMAIL_DB_NAME: ${DB_NAME:-roundcubemail}
+            ROUNDCUBEMAIL_DB_USER: ${DB_USER:-roundcubemail}
+            ROUNDCUBEMAIL_DB_PASSWORD: ${DB_PASSWORD:? DB_PASSWORD is not set}
+            ROUNDCUBEMAIL_DEFAULT_HOST: ${ROUNDCUBEMAIL_DEFAULT_HOST:? ROUNDCUBEMAIL_DEFAULT_HOST is not set}
+            ROUNDCUBEMAIL_DEFAULT_PORT: ${ROUNDCUBEMAIL_DEFAULT_PORT:? ROUNDCUBEMAIL_DEFAULT_PORT is not set}
+            ROUNDCUBEMAIL_SMTP_SERVER: ${ROUNDCUBEMAIL_SMTP_SERVER:? ROUNDCUBEMAIL_SMTP_SERVER is not set}
+            ROUNDCUBEMAIL_SMTP_PORT: ${ROUNDCUBEMAIL_SMTP_PORT:? ROUNDCUBEMAIL_SMTP_PORT is not set}
+            ROUNDCUBEMAIL_PLUGINS: ${ROUNDCUBEMAIL_PLUGINS}
+            ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: ${ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE:-10M}
+            ROUNDCUBEMAIL_DES_KEY: ${ROUNDCUBEMAIL_DES_KEY:? ROUNDCUBEMAIL_DES_KEY is not set - must be 24 characters}
+            ROUNDCUBEMAIL_SUPPORT_URL: ${ROUNDCUBEMAIL_SUPPORT_URL:-}
+            ROUNDCUBEMAIL_MANAGESIEVE_HOST: ${ROUNDCUBEMAIL_MANAGESIEVE_HOST:-}
+            ROUNDCUBEMAIL_PASSWORD_DB_USER: ${ROUNDCUBEMAIL_PASSWORD_DB_USER:-}
+            ROUNDCUBEMAIL_PASSWORD_DB_PASSWORD: ${ROUNDCUBEMAIL_PASSWORD_DB_PASSWORD:-}
+            ROUNDCUBEMAIL_PASSWORD_DB_NAME: ${ROUNDCUBEMAIL_PASSWORD_DB_NAME:-postfix}
+        healthcheck:
+            test: curl --fail http://localhost || exit 1
+            retries: 5
+            start_period: 30s
+        networks:
+            - backend
+            - traefik
+        volumes:
+            - /var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock:ro
+            - roundcube-keys:/etc/enigma/keys
+            - temp:/tmp/roundcube-temp
+        depends_on:
+            db:
+                condition: service_healthy
+        restart: unless-stopped
+        labels:
+            - 'traefik.enable=true'
+            - 'traefik.docker.network=traefik'
+
+            # Shared service
+            - 'traefik.http.services.webmail.loadbalancer.server.port=80'
+
+            # webmail.mifi.holdings
+            - 'traefik.http.routers.webmail.rule=Host(`webmail.mifi.holdings`)'
+            - 'traefik.http.routers.webmail.entrypoints=websecure'
+            - 'traefik.http.routers.webmail.middlewares=gzip@file,security-lax@file'
+            - 'traefik.http.routers.webmail.tls=true'
+            - 'traefik.http.routers.webmail.tls.certresolver=letsencrypt'
+            - 'traefik.http.routers.webmail.service=webmail'
+
+            # webmail.mylocalpro.biz
+            - 'traefik.http.routers.webmail-mylocalpro.rule=Host(`webmail.mylocalpro.biz`)'
+            - 'traefik.http.routers.webmail-mylocalpro.entrypoints=websecure'
+            - 'traefik.http.routers.webmail-mylocalpro.middlewares=gzip@file,security-lax@file'
+            - 'traefik.http.routers.webmail-mylocalpro.tls=true'
+            - 'traefik.http.routers.webmail-mylocalpro.tls.certresolver=letsencrypt'
+            - 'traefik.http.routers.webmail-mylocalpro.service=webmail'
+
+networks:
+    backend:
+        external: false
+    traefik:
+        external: true
+
+volumes:
+    data:
+        external: false
+    roundcube-keys:
+        external: true
+    temp:
+        external: false
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..1d7e07a
--- /dev/null
+++ b/package.json
@@ -0,0 +1,21 @@
+{
+  "name": "mail-roundcube",
+  "version": "1.0.0",
+  "private": true,
+  "packageManager": "pnpm@10.29.3",
+  "scripts": {
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "yamllint .woodpecker/ci.yml .woodpecker/build.yml .woodpecker/deploy.yml docker-compose.yml",
+    "docker:build": "docker build --platform linux/amd64 -t git.mifi.dev/mifi-holdings/mail-roundcube:latest .",
+    "docker:push": "docker push git.mifi.dev/mifi-holdings/mail-roundcube:latest"
+  },
+  "devDependencies": {
+    "prettier": "^3.4.2",
+    "yaml-lint": "^1.7.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mifi-holdings/mail-roundcube.git"
+  }
+}
diff --git a/plugins/enigma/config.inc.php b/plugins/enigma/config.inc.php
new file mode 100644
index 0000000..7814c7b
--- /dev/null
+++ b/plugins/enigma/config.inc.php
@@ -0,0 +1,80 @@
+<?php
+
+// Enigma Plugin options
+// --------------------
+
+// A driver to use for PGP. Default: "gnupg".
+$config['enigma_pgp_driver'] = 'gnupg';
+
+// A driver to use for S/MIME. Default: "phpssl".
+$config['enigma_smime_driver'] = 'phpssl';
+
+// Enables logging of enigma operations (including Crypt_GPG debug info)
+$config['enigma_debug'] = false;
+
+// REQUIRED! Keys directory for all users.
+// Must be writeable by PHP process, and not in the web server document root
+$config['enigma_pgp_homedir'] = '/etc/enigma/keys';
+
+// Location of gpg binary. By default it will be auto-detected.
+// This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
+$config['enigma_pgp_binary'] = '';
+
+// Location of gpg-agent binary. By default it will be auto-detected.
+// It's used with GnuPG 2.x.
+$config['enigma_pgp_agent'] = '';
+
+// Location of gpgconf binary. By default it will be auto-detected.
+// It's used with GnuPG >= 2.1.
+$config['enigma_pgp_gpgconf'] = '';
+
+// Name of the PGP symmetric cipher algorithm.
+// Run gpg --version to see the list of supported algorithms
+$config['enigma_pgp_cipher_algo'] = null;
+
+// Name of the PGP digest (hash) algorithm.
+// Run gpg --version to see the list of supported algorithms
+$config['enigma_pgp_digest_algo'] = null;
+
+// Enables multi-host environments support.
+// Enable it if you have more than one HTTP server.
+// Make sure all servers run the same GnuPG version and have time in sync.
+// Keys will be stored in SQL database (make sure max_allowed_packet
+// is big enough).
+$config['enigma_multihost'] = false;
+
+// Enables signatures verification feature.
+$config['enigma_signatures'] = true;
+
+// Enables messages decryption feature.
+$config['enigma_decryption'] = true;
+
+// Enables messages encryption and signing feature.
+$config['enigma_encryption'] = true;
+
+// Enable signing all messages by default
+$config['enigma_sign_all'] = false;
+
+// Enable encrypting all messages by default
+$config['enigma_encrypt_all'] = false;
+
+// Enable attaching a public key to all messages by default
+$config['enigma_attach_pubkey'] = false;
+
+// Default for how long to store private key passwords (in minutes).
+// When set to 0 passwords will be stored for the whole session.
+$config['enigma_password_time'] = 5;
+
+// Enable support for private keys without passwords.
+$config['enigma_passwordless'] = false;
+
+// With this option you can lock composing options
+// of the plugin forcing the user to use configured settings.
+// The array accepts: 'sign', 'encrypt', 'pubkey'.
+//
+// For example, to force your users to sign every email,
+// you should set:
+//     - enigma_sign_all     = true
+//     - enigma_options_lock = ['sign']
+//     - dont_override       = ['enigma_sign_all']
+$config['enigma_options_lock'] = [];
diff --git a/plugins/managesieve/config.inc.php b/plugins/managesieve/config.inc.php
new file mode 100644
index 0000000..f62cdb7
--- /dev/null
+++ b/plugins/managesieve/config.inc.php
@@ -0,0 +1,130 @@
+<?php
+
+// Managesieve server host (and optional port). Default: localhost.
+// Replacement variables supported in host name:
+// %h - user's IMAP hostname
+// %n - http hostname ($_SERVER['SERVER_NAME'])
+// %d - domain (http hostname without the first part)
+// For example %n = mail.domain.tld, %d = domain.tld
+// If port is omitted it will be determined automatically using getservbyname()
+// function, with 4190 as a fallback.
+// Note: Add tls:// prefix to enable explicit STARTTLS
+// or add ssl:// prefix to enable implicit SSL.
+// From env ROUNDCUBEMAIL_MANAGESIEVE_PLUGIN_HOST (e.g. tls://mail.example.com:4190)
+$managesieveHost = getenv('ROUNDCUBEMAIL_MANAGESIEVE_PLUGIN_HOST');
+$config['managesieve_host'] = ($managesieveHost !== false && $managesieveHost !== '') ? $managesieveHost : 'localhost';
+
+// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
+// or none. Optional, defaults to best method supported by server.
+$config['managesieve_auth_type'] = null;
+
+// Optional managesieve authentication identifier to be used as authorization proxy.
+// Authenticate as a different user but act on behalf of the logged in user.
+// Works with PLAIN and DIGEST-MD5 auth.
+$config['managesieve_auth_cid'] = null;
+
+// Optional managesieve authentication password to be used for imap_auth_cid
+$config['managesieve_auth_pw'] = null;
+
+// Connection socket context options
+// See http://php.net/manual/en/context.ssl.php
+// The example below enables server certificate validation
+//$config['managesieve_conn_options'] = [
+//  'ssl'         => [
+//     'verify_peer'  => true,
+//     'verify_depth' => 3,
+//     'cafile'       => '/etc/openssl/certs/ca.crt',
+//   ],
+// ];
+// Note: These can be also specified as an array of options indexed by hostname
+$config['managesieve_conn_options'] = null;
+
+// A file with default script content (e.g. spam filter)
+$config['managesieve_default'] = '/etc/dovecot/sieve/global';
+
+// The name of the script which will be used when there's no user script
+$config['managesieve_script_name'] = 'managesieve';
+
+// Sieve RFC says that we should use UTF-8 encoding for mailbox names,
+// but some implementations work with UTF7-IMAP encoding only.
+// Defaults to UTF7-IMAP
+$config['managesieve_mbox_encoding'] = 'UTF-8';
+
+// I need this because my dovecot (with listescape plugin) uses
+// ':' delimiter, but creates folders with dot delimiter
+$config['managesieve_replace_delimiter'] = '';
+
+// disabled sieve extensions (body, copy, date, editheader, encoded-character,
+// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
+// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
+// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
+// Note: not all extensions are implemented
+$config['managesieve_disabled_extensions'] = [];
+
+// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
+$config['managesieve_debug'] = true;
+
+// Enables features described in http://wiki.kolab.org/KEP:14
+$config['managesieve_kolab_master'] = false;
+
+// Script name extension used for scripts including. Dovecot uses '.sieve',
+// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
+$config['managesieve_filename_extension'] = '.sieve';
+
+// List of reserved script names (without extension).
+// Scripts listed here will be not presented to the user.
+$config['managesieve_filename_exceptions'] = [];
+
+// List of domains limiting destination emails in redirect action
+// If not empty, user will need to select domain from a list
+$config['managesieve_domains'] = [];
+
+// Default list of entries in header selector
+$config['managesieve_default_headers'] = ['Subject', 'From', 'To'];
+
+// Enables separate management interface for vacation responses (out-of-office)
+// 0 - no separate section (default),
+// 1 - add Forward section,
+// 2 - add Forward section, but hide Filters section
+$config['managesieve_forward'] = 0;
+
+// Default vacation interval (in days).
+// Note: If server supports vacation-seconds extension it is possible
+// to define interval in seconds here (as a string), e.g. "3600s".
+$config['managesieve_vacation_interval'] = 0;
+
+// Some servers require vacation :addresses to be filled with all
+// user addresses (aliases). This option enables automatic filling
+// of these on initial vacation form creation.
+$config['managesieve_vacation_addresses_init'] = false;
+
+// Sometimes you want to always reply with mail email address
+// This option enables automatic filling of :from field on initial vacation form creation.
+$config['managesieve_vacation_from_init'] = false;
+
+// Supported methods of notify extension. Default: 'mailto'
+$config['managesieve_notify_methods'] = ['mailto'];
+
+// Enables scripts RAW editor feature
+$config['managesieve_raw_editor'] = true;
+
+// Disabled actions. Prevents user from performing specific actions by disabling
+// the UI elements:
+// - list_sets,
+//   Note: disabling list_sets removes the Filter sets widget from the UI and means
+//   the set defined in managesieve_script_name will always be used (and activated)
+// - enable_disable_set,
+// - delete_set,
+// - new_set,
+// - download_set,
+// - new_filter,
+// - delete_filter,
+// - redirect: This one will remove 'redirect' option from the filter actions selector
+//   Note: This will not remove it for redirect actions already existing in the script.
+//   Note: This has no impact on the Forwarding UI
+$config['managesieve_disabled_actions'] = [];
+
+// List of hosts that support managesieve.
+// Activate managesieve for selected hosts only. If this is not set all hosts are allowed.
+// Example: $config['managesieve_allowed_hosts'] = ['host1.mydomain.com', 'host2.mydomain.com'];
+$config['managesieve_allowed_hosts'] = null;
diff --git a/plugins/password/config.inc.php b/plugins/password/config.inc.php
new file mode 100644
index 0000000..5bb470f
--- /dev/null
+++ b/plugins/password/config.inc.php
@@ -0,0 +1,552 @@
+<?php
+
+// Password Plugin options
+// -----------------------
+// A driver to use for password change. Default: "sql".
+// See README file for list of supported driver names.
+$config['password_driver'] = 'sql';
+
+// A driver to use for checking password strength. Default: null (disabled).
+// See README file for list of supported driver names.
+$config['password_strength_driver'] = 'zxcvbn';
+
+// Determine whether current password is required to change password.
+// Default: false.
+$config['password_confirm_current'] = true;
+
+// Require the new password to be a certain length.
+// set to blank to allow passwords of any length
+$config['password_minimum_length'] = 12;
+
+// Require the new password to have at least the specified strength score.
+// Note: Password strength is scored from 1 (week) to 5 (strong).
+$config['password_zxcvbn_min_score'] = 5;
+// $config['password_minimum_score'] = 0;
+
+// Enables logging of password changes into logs/password
+$config['password_log'] = false;
+
+// Array of login exceptions for which password change
+// will be not available (no Password tab in Settings)
+$config['password_login_exceptions'] = null;
+
+// Array of hosts that support password changing.
+// Listed hosts will feature a Password option in Settings; others will not.
+// Example: ['mail.example.com', 'mail2.example.org'];
+// Default is NULL (all hosts supported).
+$config['password_hosts'] = null;
+
+// Enables saving the new password even if it matches the old password. Useful
+// for upgrading the stored passwords after the encryption scheme has changed.
+$config['password_force_save'] = false;
+
+// Enables forcing new users to change their password at their first login.
+$config['password_force_new_user'] = false;
+
+// Password hashing/crypting algorithm.
+// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
+// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, ssha256, ssha512, samba, ad, dovecot, clear.
+// Also supported are password_hash() algoriths: hash-bcrypt, hash-argon2i, hash-argon2id.
+// Default: 'clear' (no hashing)
+// For details see password::hash_password() method.
+$config['password_algorithm'] = 'blowfish-crypt';
+//$config['password_algorithm'] = 'hash-argon2id';
+//$config['password_algorithm'] = 'hash-bcrypt';
+
+// Additional options for password hashing function(s).
+// For password_hash()-based passwords see https://www.php.net/manual/en/function.password-hash.php
+// It can be used to set the Blowfish algorithm cost, e.g. ['cost' => 12]
+$config['password_algorithm_options'] = ['cost' => 13];
+
+// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
+// using password_algorithm above. Default: empty.
+//$config['password_algorithm_prefix'] = '{ARGON2ID}';
+$config['password_algorithm_prefix'] = '{BLF-CRYPT}';
+
+// Path for dovecotpw/doveadm-pw (if not in the $PATH).
+// Used for password_algorithm = 'dovecot'.
+// $config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
+// $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x
+$config['password_dovecotpw'] = '/usr/bin/doveadm pw -r 5';
+
+// Dovecot password scheme.
+// Used for password_algorithm = 'dovecot'.
+$config['password_dovecotpw_method'] = 'BLF-CRYPT';
+
+// Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
+// when using password_algorithm=dovecot
+$config['password_dovecotpw_with_method'] = true;
+
+// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
+// Must be at least 1000. If not set, then the number of rounds is left up
+// to the crypt() implementation. On glibc this defaults to 5000.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+//$config['password_crypt_rounds'] = 50000;
+
+// This option temporarily disables the password change functionality.
+// Use it when the users database server is in maintenance mode or something like that.
+// You can set it to TRUE/FALSE or a text describing the reason
+// which will replace the default.
+$config['password_disabled'] = false;
+
+// Various drivers/setups use different format of the username.
+// This option allows you to force specified format use. Default: '%u'.
+// Supported variables:
+//     %u - full username,
+//     %l - the local part of the username (in case the username is an email address)
+//     %d - the domain part of the username (in case the username is an email address)
+// Note: This may no apply to some drivers implementing their own rules, e.g. sql.
+$config['password_username_format'] = '%u';
+
+// Options passed when creating Guzzle HTTP client, used to access various external APIs.
+// This will overwrite global http_client settings. For example:
+// [
+//   'timeout' => 10,
+//   'proxy' => 'tcp://localhost:8125',
+// ]
+$config['password_http_client'] = [];
+
+
+// SQL Driver options
+// ------------------
+// PEAR database DSN for performing the query. By default
+// Roundcube DB settings are used.
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// Built from env: ROUNDCUBEMAIL_PASSWORD_DB_USER, ROUNDCUBEMAIL_PASSWORD_DB_PASSWORD, ROUNDCUBEMAIL_PASSWORD_DB_NAME
+$pwDbUser = getenv('ROUNDCUBEMAIL_PASSWORD_PLUGIN_DB_USER');
+$pwDbPass = getenv('ROUNDCUBEMAIL_PASSWORD_PLUGIN_DB_PASSWORD');
+$pwDbName = getenv('ROUNDCUBEMAIL_PASSWORD_PLUGIN_DB_NAME') ?: 'postfix';
+if ($pwDbUser !== false && $pwDbUser !== '' && $pwDbPass !== false) {
+    $config['password_db_dsn'] = 'mysql://' . $pwDbUser . ':' . rawurlencode($pwDbPass) . '@unix(/var/run/mysqld/mysqld.sock)/' . $pwDbName;
+}
+
+// The SQL query used to change the password.
+// The query can contain the following macros that will be expanded as follows:
+//      %p is replaced with the plaintext new password
+//      %P is replaced with the crypted/hashed new password
+//         according to configured password_algorithm
+//      %o is replaced with the old (current) password
+//      %O is replaced with the crypted/hashed old (current) password
+//         according to configured password_algorithm
+//      %h is replaced with the imap host (from the session info)
+//      %u is replaced with the username (from the session info)
+//      %l is replaced with the local part of the username
+//         (in case the username is an email address)
+//      %d is replaced with the domain part of the username
+//         (in case the username is an email address)
+// Escaping of macros is handled by this module.
+// Default: "SELECT update_passwd(%P, %u)"
+$config['password_query'] = 'UPDATE mailbox SET password=%P,modified=NOW() WHERE username=%u';
+
+// By default domains in variables are using unicode.
+// Enable this option to use punycoded names
+$config['password_idn_ascii'] = false;
+
+
+// Poppassd Driver options
+// -----------------------
+// The host which changes the password (default: localhost)
+// Supported replacement variables:
+//   %n - hostname ($_SERVER['SERVER_NAME'])
+//   %t - hostname without the first part
+//   %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+//   %h - IMAP host
+//   %z - IMAP domain without first part
+//   %s - domain name after the '@' from e-mail address provided at login screen
+$config['password_pop_host'] = 'localhost';
+
+// TCP port used for poppassd connections (default: 106)
+$config['password_pop_port'] = 106;
+
+
+// SASL Driver options
+// -------------------
+// Additional arguments for the saslpasswd2 call
+$config['password_saslpasswd_args'] = '';
+
+// LDAP, LDAP_SIMPLE, LDAP_SAMBA_AD and LDAP_EXOP Driver options
+// -----------------------------------
+// LDAP server name to connect to.
+// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
+// When 'ldap_simple' driver is used, URI syntax (i.e. 'ldapi:///') is supported,
+// 'password_ldap_port' is ignored when URI is used.
+// Example: ['ldap1.example.com', 'ldap2.example.com'];
+// Default: 'localhost'
+$config['password_ldap_host'] = 'localhost';
+
+// LDAP server port to connect to
+// Default: '389'
+$config['password_ldap_port'] = '389';
+
+// TLS is started after connecting
+// Using TLS for password modification is recommended.
+// Default: false
+$config['password_ldap_starttls'] = false;
+
+// LDAP version
+// Default: '3'
+$config['password_ldap_version'] = '3';
+
+// LDAP search bind type
+// This option works only with 'ldap_simple' driver.
+// 'sasl' bind type is particularly useful when local UNIX socket is used to connect
+// the server, or client TLS certificate validation is enabled. In this cases we
+// can avoid using explicit DN.
+// Example: 'sasl'
+// Default: 'bind'
+$config['password_ldap_bind_method'] = 'bind';
+
+// LDAP SASL mech
+// SASL mech when 'password_ldap_bind_method' is 'sasl'.
+// This option works only with 'ldap_simple' driver.
+// Example: 'EXTERNAL'
+// Default: null
+$config['password_ldap_mech'] = null;
+
+// LDAP SASL realm
+// SASL realm when 'password_ldap_bind_method' is 'sasl'.
+// This option works only with 'ldap_simple' driver.
+// Example: 'myrealm'
+// Default: null
+$config['password_ldap_realm'] = null;
+
+// LDAP base name (root directory)
+// Example: 'dc=example,dc=com'
+$config['password_ldap_basedn'] = 'dc=example,dc=com';
+
+// LDAP connection method
+// There are two connection methods for changing a user's LDAP password.
+// 'user': use user credential (recommended, require password_confirm_current=true)
+// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
+// 'sasl': use SASL bind (see password_ldap_adminDN, password_ldap_adminPW,
+//         password_ldap_realm, and password_ldap_mech)
+// Default: 'user'
+$config['password_ldap_method'] = 'user';
+
+// LDAP Admin DN
+// Used only in admin connection mode
+// Default: null
+$config['password_ldap_adminDN'] = null;
+
+// LDAP Admin Password
+// Used only in admin connection mode
+// Default: null
+$config['password_ldap_adminPW'] = null;
+
+// LDAP user DN mask
+// The user's DN is mandatory and as we only have his login,
+// we need to re-create his DN using a mask
+// '%login' will be replaced by the current roundcube user's login
+// '%name' will be replaced by the current roundcube user's name part
+// '%domain' will be replaced by the current roundcube user's domain part
+// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+// Example: 'uid=%login,ou=people,dc=example,dc=com'
+$config['password_ldap_userDN_mask'] = 'uid=%login,ou=people,dc=example,dc=com';
+
+// LDAP search DN
+// The DN roundcube should bind with to find out user's DN
+// based on his login. Note that you should comment out the default
+// password_ldap_userDN_mask setting for this to take effect.
+// Use this if you cannot specify a general template for user DN with
+// password_ldap_userDN_mask. You need to perform a search based on
+// users login to find his DN instead. A common reason might be that
+// your users are placed under different ou's like engineering or
+// sales which cannot be derived from their login only.
+$config['password_ldap_searchDN'] = 'cn=roundcube,ou=services,dc=example,dc=com';
+
+// LDAP search password
+// If password_ldap_searchDN is set, the password to use for
+// binding to search for user's DN. Note that you should comment out the default
+// password_ldap_userDN_mask setting for this to take effect.
+// Warning: Be sure to set appropriate permissions on this file so this password
+// is only accessible to roundcube and don't forget to restrict roundcube's access to
+// your directory as much as possible using ACLs. Should this password be compromised
+// you want to minimize the damage.
+$config['password_ldap_searchPW'] = 'secret';
+
+// LDAP search base
+// If password_ldap_searchDN is set, the base to search in using the filter below.
+// Note that you should comment out the default password_ldap_userDN_mask setting
+// for this to take effect.
+$config['password_ldap_search_base'] = 'ou=people,dc=example,dc=com';
+
+// LDAP search filter
+// If password_ldap_searchDN is set, the filter to use when
+// searching for user's DN. Note that you should comment out the default
+// password_ldap_userDN_mask setting for this to take effect.
+// '%login' will be replaced by the current roundcube user's login
+// '%name' will be replaced by the current roundcube user's name part
+// '%domain' will be replaced by the current roundcube user's domain part
+// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+// Example: '(uid=%login)'
+// Example: '(&(objectClass=posixAccount)(uid=%login))'
+$config['password_ldap_search_filter'] = '(uid=%login)';
+
+// LDAP password hash type
+// Standard LDAP encryption type which must be one of: crypt,
+// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
+// Set to 'default' if you want to use method specified in password_algorithm option above.
+// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
+// Default: 'crypt'.
+$config['password_ldap_encodage'] = 'crypt';
+
+// LDAP password attribute
+// Name of the ldap's attribute used for storing user password
+// Default: 'userPassword'
+$config['password_ldap_pwattr'] = 'userPassword';
+
+// LDAP password force replace
+// Force LDAP replace in cases where ACL allows only replace not read
+// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
+// Default: true
+$config['password_ldap_force_replace'] = true;
+
+// LDAP Password Last Change Date
+// Some places use an attribute to store the date of the last password change
+// The date is measured in "days since epoch" (an integer value)
+// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
+$config['password_ldap_lchattr'] = '';
+
+// LDAP Samba password attribute, e.g. sambaNTPassword
+// Name of the LDAP's Samba attribute used for storing user password
+$config['password_ldap_samba_pwattr'] = '';
+
+// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
+// Some places use an attribute to store the date of the last password change
+// The date is measured in "seconds since epoch" (an integer value)
+// Whenever the password is changed, the attribute will be updated if set
+$config['password_ldap_samba_lchattr'] = '';
+
+// LDAP PPolicy Driver options
+// -----------------------------------
+
+// LDAP Change password command - filename of the perl script
+// Example: 'change_ldap_pass.pl'
+$config['password_ldap_ppolicy_cmd'] = 'change_ldap_pass.pl';
+
+// LDAP URI
+// Example: 'ldap://ldap.example.com/ ldaps://ldap2.example.com:636/'
+$config['password_ldap_ppolicy_uri'] = 'ldap://localhost/';
+
+// LDAP base name (root directory)
+// Example: 'dc=example,dc=com'
+$config['password_ldap_ppolicy_basedn'] = 'dc=example,dc=com';
+
+$config['password_ldap_ppolicy_searchDN'] = 'cn=someuser,dc=example,dc=com';
+
+$config['password_ldap_ppolicy_searchPW'] = 'secret';
+
+// LDAP search filter
+// Example: '(uid=%login)'
+// Example: '(&(objectClass=posixAccount)(uid=%login))'
+$config['password_ldap_ppolicy_search_filter'] = '(uid=%login)';
+
+// CA Certificate file if in URI is LDAPS connection
+$config['password_ldap_ppolicy_cafile'] = '/etc/ssl/cacert.crt';
+
+
+
+// DirectAdmin Driver options
+// --------------------------
+// The host which changes the password
+// Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
+// The host can contain the following macros that will be expanded as follows:
+//     %h is replaced with the imap host (from the session info)
+//     %d is replaced with the domain part of the username (if the username is an email)
+$config['password_directadmin_host'] = 'tcp://localhost';
+
+// TCP port used for DirectAdmin connections
+$config['password_directadmin_port'] = 2222;
+
+
+// vpopmaild Driver options
+// -----------------------
+// The host which changes the password
+$config['password_vpopmaild_host'] = 'localhost';
+
+// TCP port used for vpopmaild connections
+$config['password_vpopmaild_port'] = 89;
+
+// Timeout used for the connection to vpopmaild (in seconds)
+$config['password_vpopmaild_timeout'] = 10;
+
+
+// cPanel Driver options
+// ---------------------
+// The cPanel Host name
+$config['password_cpanel_host'] = 'host.domain.com';
+
+// The cPanel port to use
+$config['password_cpanel_port'] = 2096;
+
+
+// XIMSS (Communigate server) Driver options
+// -----------------------------------------
+// Host name of the Communigate server
+$config['password_ximss_host'] = 'mail.example.com';
+
+// XIMSS port on Communigate server
+$config['password_ximss_port'] = 11024;
+
+
+// chpasswd Driver options
+// ---------------------
+// Command to use (see "Sudo setup" in README)
+$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';
+
+
+// XMail Driver options
+// ---------------------
+$config['xmail_host'] = 'localhost';
+$config['xmail_user'] = 'YourXmailControlUser';
+$config['xmail_pass'] = 'YourXmailControlPass';
+$config['xmail_port'] = 6017;
+
+
+// hMail Driver options
+// -----------------------
+// Remote hMailServer configuration
+// true:  HMailserver is on a remote box (php.ini: com.allow_dcom = true)
+// false: Hmailserver is on same box as PHP
+$config['hmailserver_remote_dcom'] = false;
+// Windows credentials
+$config['hmailserver_server'] = [
+    'Server'   => 'localhost',      // hostname or ip address
+    'Username' => 'administrator',  // windows username
+    'Password' => 'password'        // windows user password
+];
+
+// pw_usermod Driver options
+// --------------------------
+// Use comma delimited exlist to disable password change for users.
+// See "Sudo setup" in README file.
+$config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n';
+
+
+// DBMail Driver options
+// -------------------
+// Additional arguments for the dbmail-users call
+$config['password_dbmail_args'] = '-p sha512';
+
+
+// Expect Driver options
+// ---------------------
+// Location of expect binary
+$config['password_expect_bin'] = '/usr/bin/expect';
+
+// Location of expect script (see helpers/passwd-expect)
+$config['password_expect_script'] = '';
+
+// Arguments for the expect script. See the helpers/passwd-expect file for details.
+// This is probably a good starting default:
+//   -telnet -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
+$config['password_expect_params'] = '';
+
+
+// smb Driver options
+// ---------------------
+// Samba host (default: localhost)
+// Supported replacement variables:
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+$config['password_smb_host'] = 'localhost';
+// Location of smbpasswd binary (default: /usr/bin/smbpasswd)
+$config['password_smb_cmd'] = '/usr/bin/smbpasswd';
+
+// gearman driver options
+// ---------------------
+// Gearman host (default: localhost)
+$config['password_gearman_host'] = 'localhost';
+
+
+// Plesk/PPA Driver options
+// --------------------
+// You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel
+
+// Plesk RCP Host
+$config['password_plesk_host'] = '10.0.0.5';
+
+// Plesk RPC Username
+$config['password_plesk_user'] = 'admin';
+
+// Plesk RPC Password
+$config['password_plesk_pass'] = 'password';
+
+// Plesk RPC Port
+$config['password_plesk_rpc_port'] = '8443';
+
+// Plesk RPC Path
+$config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';
+
+
+// kpasswd Driver options
+// ---------------------
+// Command to use
+$config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';
+
+
+// Modoboa Driver options
+// ---------------------
+// put token number from Modoboa server
+$config['password_modoboa_api_token'] = '';
+
+
+// Mail-in-a-Box Driver options
+// ----------------------------
+// the url to the control panel of Mail-in-a-Box, e.g. https://box.example.com/admin/
+$config['password_miab_url'] = '';
+// name (email) of the admin user used to access api
+$config['password_miab_user'] = '';
+// password of the admin user used to access api
+$config['password_miab_pass'] = '';
+
+
+// TinyCP
+// --------------
+// TinyCP host, port, user and pass.
+$config['password_tinycp_host'] = '';
+$config['password_tinycp_port'] = '';
+$config['password_tinycp_user'] = '';
+$config['password_tinycp_pass'] = '';
+
+// HTTP-API Driver options
+// ---------------------
+
+// Base URL of password change API. HTTPS recommended.
+$config['password_httpapi_url'] = 'https://passwordserver.example.org';
+
+// Method (also affects how vars are sent). Default: POST.
+// GET is not recommended as passwords will appears in the remote webserver's access log
+$config['password_httpapi_method'] = 'POST';
+
+// GET or POST variable in which to put the username
+$config['password_httpapi_var_user'] = 'user';
+
+// GET or POST variable in which to put the current password
+$config['password_httpapi_var_curpass'] = 'curpass';
+
+// GET or POST variable in which to put the new password
+$config['password_httpapi_var_newpass'] = 'newpass';
+
+// HTTP codes other than 2xx are assumed to mean the password changed failed.
+// Optionally, if set, this variable additionally checks the body of the 2xx response to
+// confirm the change. It's a preg_match regular expression.
+$config['password_httpapi_expect'] = '/^ok$/i';
+
+
+// dovecot_passwdfile
+// ------------------
+$config['password_dovecot_passwdfile_path'] = '/etc/mail/imap.passwd';
+
+
+// Mailcow driver options
+// ----------------------
+$config['password_mailcow_api_host'] = 'localhost';
+$config['password_mailcow_api_token'] = '';
+