Author Topic: Securing Roundcube Installation  (Read 3603 times)

Offline cap345

  • Newbie
  • *
  • Posts: 1
Securing Roundcube Installation
« on: January 04, 2018, 11:39:23 PM »
I am trying out Roundcube (using version 1.3.3 on Apache).  In my test installation, I have everything working, but there are a few permisisons quirks I need help with.  Hopefully someone here has suggestions.

First, RC works fine if I give the web server user execute permissions to some of the folders, including the config folder.  Anything less than 750 to the config, plugins, etc. folders does not work.  Is this really correct?  Is there a document somewhere that shows exactly what Linux file permissions should be granted to each folder?

Second, RC seems to be ignoring entries that I add to the .htaccess files.  For example, I tried blocking access by web users to the temp and logs folders by adding directives ( Oder allow,deny / Deny from all ), but these are ignored, and a web visitor can actually browse the contents of these folders.  I use .htaccess on other folders on my Apache installation, and it always seems to work fine.

Thanks in advance for any help or suggestions the community can offer.

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
Re: Securing Roundcube Installation
« Reply #1 on: January 05, 2018, 07:25:53 AM »
There are some tips on securing your installation in the INSTALL file shipped with roundcube, see https://github.com/roundcube/roundcubemail/blob/master/INSTALL#L163

Regarding your issue with .htaccess files, I'd check your Apache config to make sure you have AllowOverride all set on the directory
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦