Hello and welcome to our forum
there are some plugins around for Roundcube, but I'm not sure if they could work properly. Imho the main problem is that normally RC does not have knowledge of users passwords. RC takes the password as given by user and tries a IMAP login on the server. Depending on the answer from server the login is considered valid or not. So these are local users in that case which means their passwords are handled via /etc/password and /etc/shadow
The problem: local (non root) users can only change their own password via the password command. But as the RC process is running as webserver user (mostly nobody with DS) the process could only change its own password. That's why normally users can only change their pw via the DSM as the DSM process is running as root, so it can change password of every local user.
It depends on the authentication backend. As long as password and shadow are used you need to invoke a process running as root to be able to change passwords. I'm not sure what backend a solution like zarafa uses. Maybe it's a database backend, in that case it could be possible to change passwords in context of the webserver-user (without root rights).
A (imho very dirty) solution could be to set synuser command setuid, change the group of the command to nobody and remove ANY right for others from the command. Then it should be possible to invoke synuser as root even the calling user is non-root (in this case nobody). But again a very very dirty solution!!
By far the cleanest thing would be to seperate mailusers from the local users. This can be achieved by virtual users for postfix (smtp) and dovecot (pop3/imap), but means quite a lot of work on the command line. The advantage is that mailusers are completly seperated from local users, disadvantage if you add a user in DSM she/he is not automatically available as virtual user for mail.
cheers
tobi
