Ah right... Symbolic links shouldnt be an issue with ISPConfig 3, as they work fine on Centos 5.4.
Ah, the security issue can be resolved by chmod'ing the webmail dir to root, then the user who ftp's in shouldn't be able to see the files (unless its root or has root privileges?)
If the directory exists in what apache thinks is the document root for the request, then appending /webmail on the end should view its contents. Does apache have access to view the dir?