Roundcube is a client software to access IMAP mailboxes. If you already came to this post, then I’m sure you’ve figured out that RoundCube does not restrict domains in the login form, which means that as long as your username and password are OK, you can basically use any domain you like in your username field. Exc:, etc.

This is not something that Roundcube deals with, because it should be taken care of on your IMAP server configuration, and if the IMAP server does not check for your full username (domain included), and allows access with any other domain, you get access :). However, even if it’s taken care of on your IMAP server, handling this in RoundCube will prevent an unnecessary request to your IMAP server.

One of the configuration options in Roundcube helps you append the domain to a clean username login.
Exc: if in your username field you type only the username “username” without the “” then roundcube can help  you by appending the “”. This is helpful only for IMAP servers that require full e-mail addresses for login. You can specify this by editing $rcmail_config[‘username_domain’] variable in config/

By default that variable is blank as below:

$config['username_domain'] = '';

Above that variable, you’ll find a short description on what options can be set to this variable, one of which you might assume it is:

%d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)

But in cases when your roundcube installation is in a different host/domain server than your original domain that is needed to authenticate in your IMAP server, that will not help, therefore use your domain as follows:

$config['username_domain'] = '';

Now if you type “username” (without the domain) in the username field, roundcube will append “” and the request to your IMAP server will have your username sent as “”, otherwise if you already specify the domain in your username field, it will make the login request with the specified domain which in this case can be anything (, etc).

But, if you look a bit further down that config variable line you’ll find (implemented since version 1.0.0):

$config['username_domain_forced'] = false;

If you change it to true, what it will do is replace any domain after your “username” to “”. So if you type “” it will replace it to “”. Well in this case I wouldn’t personally prefer this therefore I left the config variable to false and instead came up with the following solution.

Assuming you have configured your IMAP server to handle full username (with domain) authentication, or not. Here’s one way you can prevent that in RounCube side.

In  program/include/rcmail.php file we want to find login() function and just above it add the function below:

function checkDomain($username)
    if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
        return false;

    $username_domain = $this->config->get('username_domain');

    $domain = explode('@', $username);

    return $domain[1] === $username_domain;

Now inside login() funcion find the lines where it needs to add/force domain to username:

It should look something like:

if (!empty($username_domain)) {
	$domain = is_array($username_domain) ? $username_domain[$host] : $username_domain;

	if ($domain = rcube_utils::parse_host((string)$domain, $host)) {
	    $pos = strpos($username, '@');

	    // force configured domains
	    if ($pos !== false && $this->config->get('username_domain_forced')) {
	        $username = substr($username, 0, $pos) . '@' . $domain;
	    // just add domain if not specified
	    else if ($pos === false) {
	        $username .= '@' . $domain;

Below this if statement block, use the checkDomain() function we created earlier:

if(!$this->checkDomain($username)) {
    return false;

Now try to login with another domain and the request will not reach the IMAP server but return false right away.

That’s all, I hope it helped! 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s