Yes, this is absolutely possible, doesn't change regardless of whether you're using a web-mail client or a conventional email client, and cannot be worked around at all.
Once the email is sent to the server, you literally lose all control of it. The server admin can have the system do whatever they want with it, including silently dropping it or completely rewriting the destination addresses.
This is one of the single biggest issues with using email for any type of data that is supposed to be kept secure, you have zero control over the transit path between your email client and the recipient's email client. This is compounded by the fact that there may be multiple email servers between your outgoing server and the recipient's incoming mail server, which means more places the email could be intercepted or modified.
3Yes, it's possible for an admin to do something at the server level when you send external emails, that's totally possible depending on whatever email server you are using depends on the methods available though. No, I don't think encrypted TLS email is going to help here as the TLS security is usually email server to email server communication and not from the email client (e.g. Outlook, Thunderbird, etc.) to the internal email server. I think Roundcube is not the email server and just a web interface/client to interface with the email server for sending and receiving. – Pimp Juice IT – 2019-09-27T17:50:42.467
@PimpJuiceIT Seriously? Does it mean that when I am using, for example, Thunderbird with Gmail SMTP server with TLS my message goes to the Gmail server unencrypted and only then the SMTP server encrypts it? I thought that the TLS handshake process involves the client and the end server, so that nobody in the middle can decode the message. – Vic – 2019-09-28T07:33:22.527
1@Vic PimpJuiceIT is only partly correct (but his conclusion is correct) Email from a mail client to a mail server sent over SMTP may be encrypted using TLS or StartTLS - but it is a different path to regular SMTP. Regardless, the SMTP server you are sending through can bcc email you sent if so configured. – davidgo – 2019-09-28T08:36:13.607
1Postfix (an extremely common mail server that I'm familiar with) has a config option for bcc'ing all email (always_bcc). Newer versions of Postfix have additional mechanisms to allow per sender BCC'ing almost out the box. Other mail servers will be similar. – davidgo – 2019-09-28T08:42:49.403
Roundcube is not a mail server, its a Webmail client written in PHP. Probably pointless, but it would be fairly easy to modify to BCC all emails you send, or do Amy other manipulation - PHP is an easy to use interpreted language - I could make the required changes with no more then a text editor like notepad! – davidgo – 2019-09-28T08:45:48.670