Why Roundcube webmail identities are disabled?


The Identities feature in Roundcube webmail allows to create multiple sender profiles within a single email account. Each identity can have its own display name, email address (even email addresses other than your domain name), and signature, making it useful for people who manage multiple roles or email aliases. However, due to the high potential for misuse, we have disabled the Identities feature to enhance security for our customers.

How Identities can be misused?
Hackers often exploit the Identities feature to create fake sender profiles within compromised accounts. This allows them to send emails that appear to come from trusted sources, deceiving recipients into sharing sensitive information or diverting payments to unauthorized bank accounts. In some cases, hackers modify the “Reply-To” address, so when the recipient replies, their response is redirected to the hacker instead of the legitimate sender. This tactic can lead to a direct line of communication between the hacker and the recipient, who may believe they are corresponding with a trusted contact.

Here is a screenshot of a suspicious identity created by a hacker by altering the “Reply-To” address.

Our Security Approach!
To protect our clients from these risks, we have disabled the Identities feature by default. This prevents unauthorized profiles from being created within your account, reducing the risk of phishing attacks that rely on impersonation.

Do you still need Roundcube Identities?
If you have a legitimate reason to use multiple email identities, please reach out to our support team. We may request the datacenter to enable the feature temporarily and guide you on secure usage practices. Once you have created the necessary identities, we will arrange to disable the feature again to prevent the creation of any further identities.

NOTE:
The ability to disable the Identities feature is limited to corporate server environments. Unfortunately, this configuration option is not supported on basic servers, as they lack the necessary customization capabilities required to implement this restriction. If you require enhanced security controls, such as disabling Identities, we recommend considering an upgrade to a corporate server plan, where this and other advanced security features can be accommodated.