Should work then if you have roundcube 1.6.x and php8.2 which is also the bookworm package version.
Depends on your server spec / number of users if you use argon2 over bcrypt.
One approach might be to just migrate all users to BLF-CRYPT anyway, and then set the recommended dovecot member settings and selectively change a few users to ARGON2ID to see the impact. If you stored both hashes in the database, this would allow you to switch back.
If someone gained write access to the database somehow, they could possibly replace user's password hash with a new one, thereby allowing them to gain access to user accounts.
Two-factor authentication of course is the way to go with roundcube, but by default, there's nothing stopping access using the same credentials via IMAP/Submission without the 2FA, so roundcube 2FA isn't effective by itself if users also have access to IMAP/Submission.
I improved things a bit by using roundcube plugins:-
mmvi/twofactor_webauthn - FIDO2/webauthn 2FA.
And: https://github.com/openSUSE/ap4rc
I modified it a bit to allow using the same username and added some features to it: https://github.com/listerr/ap4rc/tree/last-access
Ultimately the goal is to eliminate passwords using OAUTH2 etc but not quite there yet.
R.
On 2023-06-24 14:54, David Mehler wrote:
Hello,
Thanks. The other utility I would be using is the Roundcube webmail password plugin. Still trying to figure the best option.
More opinions? Thanks. Dave.
-- Robert Lister - email: robl@lentil.org - tel: 020 7043 7996