I was able to track the problem back to this:
else if ($_SESSION['temp'] && !empty($_POST['_user']) && isset($_POST['_pass']) &&
rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'), $host))
{
The get_input_value is actually not getting the input for the password. It looks like its a charset conversion issue. If I set the charset to a blank string, it works.
Now, is there a good reason for doing this charset conversion? More to the point, is there any security concern with regards to evading it?