Disable Roundcube identities

Richard G · Sep 4, 2012

I just discovered that Roundcube had an option to change identities.
This way a user could create another identity en send mail from anybody, for example [email protected] could be faked.

Oke this could later be seen in the headers, but still.... users/customers should not have the option to send fake emails.
Roundcube has this strangely enough enabled by default.

There is an option to disable this.

From Roundcube's main.inc.php:

Just update latest SVN release. There are 4 options to handle identities:

// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address

You could select option 3 and this nonsense is disabled. So I did.

However, what happens when there is an upgrade of roundcube via Custombuild? Will this main.inc.php be overwritten or not?
If yes, how can I fix it that it will stay disabled also after an upgrade?

scsi · Sep 4, 2012

You can do that with any mail program that exists.

Richard G · Sep 4, 2012

I can't remember that this could be easily done with webmail, but you could be right.

However, this does not answer my question.

scsi · Sep 4, 2012

I think in custombuild you can do it in a custom folder.

http://help.directadmin.com/item.php?id=365

Richard G · Sep 4, 2012

That was what I was looking for.

Thanks!!

nobaloney · Sep 4, 2012

Richard G said:
I just discovered that Roundcube had an option to change identities.
This way a user could create another identity en send mail from anybody, for example [email protected] could be faked.

That's not his real address

. I found out the hard way. It was over ten years ago and we were a Microsoft partner. I demonstrated to someone how anyone could fake an email address by sending him an email from Bill Gates. I forgot to change it back. The next email I sent was to my contact at Microsoft. She was confused at getting an email from Bill Gates, and when she wrote him back for clarification, her email bounced. After I discovered my mistake and called her, all was forgiven

.

Oke this could later be seen in the headers, but still.... users/customers should not have the option to send fake emails.

They already do, see scsi's post, #2 in this thread.

Roundcube has this strangely enough enabled by default.

As do others.

There is an option to disable this.

Feel free to disable it (I believe it's been discussed on this forum previously, but in general terms, not specifically about RoundCube) but do realize that some of us have good reason to send email from other usernames. (I do, and no, I no longer impersonate Bill Gates, even accidentally; I do because I use one incoming mailbox for all my mail so I can read it with one RoundCube account while travelling, but I still answer support email with a different return address than I use, for example, for personal correspondence.)

However, what happens when there is an upgrade of roundcube via Custombuild? Will this main.inc.php be overwritten or not?

If scsi is correct you can fix it in a custom folder in CustomBuild; please let us know if he's right because I need to do something similar to enable sieve filtering in RoundCube. But if not, then no, there's no other way to do it, because when RoundCube is updated an entirely new subdirectory is created; the old files are still there but aren't used.

Jeff

Richard G · Sep 4, 2012

Hi Jeff.

Interesting story about Bill... I also thought this would be his real address.

But it's always nice to hear anekdotes about things that people experienced in the past.

I realise that people always had this possibility in for example email clients. But it just looked easyer to me this way.

realize that some of us have good reason to send email from other usernames

Ofcourse, I don't mind changing the username in mails, there could indeed be good reasons (like company email address and more users making use of it).

But in that case option 1 or 3 would be also sufficient shouldn't it? Because if you need to send from another email address, you create another email address. So I don't see a good reason to send email using another email address in the identity.

If scsi is correct you can fix it in a custom folder in CustomBuild; please let us know if he's right because I need to do something similar to enable sieve filtering in RoundCube.

It does seem to work.

I just deleted the complete roundcube out of /var/www/html and then did "build roundcube" from within custombuild
This is the result

Editing roundcube configuration...
Installing custom RoundCube Config: /usr/local/directadmin/custombuild/custom/roundcube/main.inc.php
Roundcube 0.8.1 has been installed successfully.
PHP Warning: system() has been disabled for security reasons in /var/www/html/roundcubemail-0.8.1/bin/update.sh on line 176
This instance of Roundcube is up-to-date.
Have fun!

So it looks like it works as should be.

nobaloney · Sep 5, 2012

Richard G said:
Interesting story about Bill... I also thought this would be his real address.

Consider how much junk he'd get. If I were him I'd be using something non-identifying and have all replies go to a secretary. For all non-Microsoft-based email I wouldn't even use the Microsoft name.

Ofcourse, I don't mind changing the username in mails, there could indeed be good reasons (like company email address and more users making use of it).

But in that case option 1 or 3 would be also sufficient shouldn't it? Because if you need to send from another email address, you create another email address. So I don't see a good reason to send email using another email address in the identity.

Except that I'd want to respond from the same webmail login and be able to see everything in the same login, even while travelling. So for me it remains important. I'm sure for others as well; I'm not the only person in the world who writes from multiple email addresses. For example, I create a separate email forwarder for EVERY company who contacts me, so I can sort emails, and see who spams me or sells my address to spammers. When I write them back, I write them from that address. Easy enough on a desktop; my desktop client automatically chooses the same from address as the to address in the email to which I'm responding. Not as easy in webmail; I need to click to change the outgoing email address. That's just me. Or do others do something similar?

It does seem to work.

Good to know. I'll try it for setting up sieve so I don't have to do it each time.

Jeff

Richard G · Sep 5, 2012

Consider how much junk he'd get.

Hahahaha, yeah you're quite correct there.

I understand how you do your webmail. I would do it about the same, but just login for the other email addresses. I've got 3 for my company.

Good to know. I'll try it for setting up sieve so I don't have to do it each time.

Should be no problem. Please let us know if it worked OK for you.

zEitEr · Sep 5, 2012

It was over ten years ago and we were a Microsoft partner. I demonstrated to someone how anyone could fake an email address by sending him an email from Bill Gates.

That is for Email Certificates exist nowadays... by the way some of them available for free.

Disable Roundcube identities

Richard G

Verified User

scsi

Verified User

Richard G

Verified User

scsi

Verified User

Richard G

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

Richard G

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

Richard G

Verified User

zEitEr

Super Moderator