Looking for a webmailer, roundcubemail is functional a pretty choice, but from the view of security one of the greatest desaster Ive seen in the near past. I do not know from where the gaps came, from the native distro or from the pkg adaption for ispconfig. Reasons may be caused by inconsistent/strange file type usage and the intermix of some object orientation with non object oriented programming styles.
Anyway, some actions are urgent suggested to plug the leaks.
With good reasons, the ispconfig webserver for himself does not allow .htaccess overrides. With good reasons also, roundcubemail runs with and in the context of the ispconfig server. But roundcubemail uses .htaccess files to have some protection.
That should be supported (only for) the roundcubepath by
, insert into file /root/ispconfig/httpd/conf/httpd.conf about line # 1197 :
modify the .htaccess file in the roundcube path line # 28 :
Deny from all
Allow from all
an .htacces file with that content :
Deny from all
should also be placed in the ispconfig roundcubemail path:
the ./config/*.dist files I have renamed to *.dist.nop
otherwise these files are offered for download.
When finished, ispconfig server requires restart.
Don't know, if all security issues are now have paid attention, but with a first test the round cube world with ispconfig looks a bit better, while the functionalities are just bright.