I was using hayaici's code and discovered that I couldn't add contacts to the addressbook anymore, because then roundcube submits a form without a query string, triggering the first rule and redirecting the user to a secure login page. So I added the condition that the method should be 'GET' and not 'POST', and now it works fine.
Also I discovered that most images where being loaded using https, so I added another RewriteCond to prevent URLs with a file extension from being parsed.
Thanks to all for this solution, it works perfectly without messing around in the webmail sourcecode. I hope that in RoundCube 1.0 it will just be a config option to use SSL for logins, as it is in other systems like Moodle.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} !\..+$
RewriteCond %{QUERY_STRING} ^$ [OR]
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) https://www.example.com/roundcube/$1 [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://www.example.com/roundcube/$1 [R=301,QSA,L]
PS: You have to remove the trailing slash from the RewriteRule URI's when you're on Apache 1.3 to prevent double slashes