Hi ! There's a bug(some kind of) in all RCWM versions. If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions. If the user changes the identity to another account located on the server then he can easily send messages using unauthorized e-mail address. For example foo@foobar.com is able to send e-mails via the foobar@foobar.com acoount without authentication To avoid the users to change the identity you could use my suggested patch.
You can find it at http://gorzow-wlkp.eu/~warlock/rcwm-0.1.1-identity-fix.patch Simply, go to the RCWM directory and type: patch -p0 < rcwm-0.1.1-identity-fix.patch BTW: SORRY for my lame eng.
List info: http://lists.roundcube.net/dev/