Author Topic: sendmail log accessible without logging in, have I made a mistake?  (Read 1318 times)

Offline _Toby_

  • Newbie
  • *
  • Posts: 4
Hi!

I got a problem with my setup. http://myserver.xxx/roundcube/logs/sendmail is readable from anywhere.
The folder is not browsable but the log is accesible if I type it in like above.

Is there any way to prevent this? I'm concerned that all contacts I have sent mail to can get there email addresses on various spam lists.

I'm using roundcube 1.1.4 on a ubuntu trusty server with apache.

Thanks in advance.

Regards,
Toby

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,568
    • http://SKaero.com/
Re: sendmail log accessible without logging in, have I made a mistake?
« Reply #1 on: January 12, 2016, 07:17:24 PM »
The best thing to do is to change the document root to the public_html folder, that way none of the system files are accessible.

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,330
Re: sendmail log accessible without logging in, have I made a mistake?
« Reply #2 on: January 13, 2016, 03:04:01 AM »
Just for completeness... Roundcube ships with a .htaccess file which blocks direct access through the webserver to the config, temp and logs folders. See https://github.com/roundcube/roundcubemail/blob/master/INSTALL#L158 for more info. There are other things too like PHP limits set in the .htaccess file so you might also want to check why that file is not being used by Apache.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline _Toby_

  • Newbie
  • *
  • Posts: 4
Re: sendmail log accessible without logging in, have I made a mistake?
« Reply #3 on: January 13, 2016, 10:56:35 AM »
Thanks to both of you.

I had to enable the module rewrite in Apache as well as setting the AllowOverride All in the global config.

Now it works and it's not possible to access the file.