mynetworks = 127.0.0.0/8

in "main.cf" for postfix.

Can I remove "permit_mynetworks" from "smtpd_sender_restrictions" so the flag in the database gets actually used when sending from roundcube (127.0.0.1)?

...... AND (pwd_change_enforced = 0 OR (pwd_change_enforced=1 AND ('xx.xx.xx.xx' = '%r')))

`pwd_change_enforced` is required actually because I want certain users to change their password because they have very very weak passwords.  So, if I put `pwd_change_enforced` to 1 and enablesmtp to 0, they won't be able to use Outlook/Thunderbird to read mail, and nothing to send mail (roundcube included). They will have to login to roundcube, and when they do, they'll get redirected to the password change page, with a big warning that they must change password. After they do, `pwd_change_enforced` gets set back to 0 and enablesmtp to 1 and everything is ok again.

Obviously, this will only work with an MySQL-enabled server, not LDAP. But I guess something similar can be done with LDAP too.

If remote IP = local IP, then user is accessing mail using roundcube

Nice solution.
But it will fail if SA deployes Roundcube on another server.

And i think 'pwd_change_enforced' column is not required in this case.

Add another field to `mailbox` table, called `pwd_change_enforced` (or whatever). If set to 0 (default), everything ok. If set to 1, user cannot login remotely, can only use roundcube (which will immediately redirect him to password change page).

and then modify "user_query" in dovecot-mysql.conf to:

user_query = SELECT CONCAT(storagebasedirectory, '/', maildir) AS home, CONCAT('*:bytes=', quota*1048576) AS quota_rule FROM mailbox WHERE username='%u' AND active='1' AND enable%Ls='1' AND expired >= NOW() AND (pwd_change_enforced = 0 OR (pwd_change_enforced=1 AND ('%l' = '%r')))

%l expands into local address (127.0.0.1), %r expands to remote IP. If remote IP = local IP, then user is accessing mail using roundcube .
Tested and working exactly as expected.
Lemme see what I can do about postfix (smtp) now...

I will research into it, to see if I can make a mysql map for postfix, IP dependent. The problem, how I see it right now, is that Postfix doesn't send IP when checking check_recipient_access & co, only username.

I think you can hack roundcube, check user access privilege with MYSQL query before/after user authentication. such as:

SELECT username WHERE username='www@example.com' AND enablewebmail='1'

Also, simply disabling SMTP and POP3 (enablesmtp, enablepop3) would not be enough, he/she could still use IMAP.

Is there a quick way to this? Preferably using the MySQL tables, so I can write a PHP script to easy enable/disable?