Looking for a webmailer, roundcubemail is functional a pretty choice, but from the view of security one of the greatest desaster Ive seen in the near past. I do not know from where the gaps came, from the native distro or from the pkg adaption for ispconfig. Reasons may be caused by inconsistent/strange file type usage and the intermix of some object orientation with non object oriented programming styles. Anyway, some actions are urgent suggested to plug the leaks. With good reasons, the ispconfig webserver for himself does not allow .htaccess overrides. With good reasons also, roundcubemail runs with and in the context of the ispconfig server. But roundcubemail uses .htaccess files to have some protection. That should be supported (only for) the roundcubepath by 1st, insert into file /root/ispconfig/httpd/conf/httpd.conf about line # 1197 : Code: <Directory /home/admispconfig/ispconfig/web/roundcubemail> AllowOverride All </Directory> Next modify the .htaccess file in the roundcube path line # 28 : Code: <FilesMatch "(\.db|\.dist|\.inc|magic|msgimport|\~)$"> Order allow,deny Deny from all </FilesMatch> Order deny,allow Allow from all ...and... an .htacces file with that content : Code: Order allow,deny Deny from all should also be placed in the ispconfig roundcubemail path: ./logs/.htaccess ./SQL/.htaccess ...and... the ./config/*.dist files I have renamed to *.dist.nop otherwise these files are offered for download. When finished, ispconfig server requires restart. Don't know, if all security issues are now have paid attention, but with a first test the round cube world with ispconfig looks a bit better, while the functionalities are just bright.