I found that the it only take secondary level domain name and not include first level domain
For example example.com All created username will be peter.example, mary.example instead of peter.example.com, mary.example.com
It may cause some 3rd party application authentication like the change password plugin of roundcue
I studied the virtualmin driver of change password plugin of roundcue
exec("$curdir/chgvirtualminpasswd modify-user --domain $domain --user $username --pass $newpass", $output, $returnvalue);
Here is a code to call a binary chgvirtualminpasswd and this binary call the /usr/sbin/virtualmin to change password.
The problem is --domain $domain , since format of username is username.domain, example will be passed to --domain instead of example.com
and that's why change password always failed
The problem lays somwhere else. If you run the command from shell, it changes your password. Just because you run it as root.
If you run it from php or as web user from shell, you get permission denied. It's not because the chgvirtualminpasswd has permissions problem. It's because it calls /usr/sbin/virtualmin and if you cat this file, you will find this line: "/usr/sbin/virtualmin must be run as root"
So it's impossible to call the password change as user! You have to run chgvirtualminpasswd as root or "sudo" in it to run virtualmin. And this is fail at all.