sendmail log accessible without logging in, have I made a mistake?

_Toby_ · January 12, 2016, 05:26:35 PM

Hi!

I got a problem with my setup. http://myserver.xxx/roundcube/logs/sendmail is readable from anywhere.
The folder is not browsable but the log is accesible if I type it in like above.

Is there any way to prevent this? I'm concerned that all contacts I have sent mail to can get there email addresses on various spam lists.

I'm using roundcube 1.1.4 on a ubuntu trusty server with apache.

Thanks in advance.

Regards,
Toby

SKaero · January 12, 2016, 07:17:24 PM

The best thing to do is to change the document root to the public_html folder, that way none of the system files are accessible.

JohnDoh · January 13, 2016, 03:04:01 AM

Just for completeness... Roundcube ships with a .htaccess file which blocks direct access through the webserver to the config, temp and logs folders. See https://github.com/roundcube/roundcubemail/blob/master/INSTALL#L158 for more info. There are other things too like PHP limits set in the .htaccess file so you might also want to check why that file is not being used by Apache.

_Toby_ · January 13, 2016, 10:56:35 AM

Thanks to both of you.

I had to enable the module rewrite in Apache as well as setting the AllowOverride All in the global config.

Now it works and it's not possible to access the file.

sendmail log accessible without logging in, have I made a mistake?

_Toby_

SKaero

JohnDoh

_Toby_