Hi,
I'm new here, so HELLO EVERYBODY:)
I have Apache2 + PHP (hardened with Suhoshin) on Ubuntu 10.04 LTS
I've just installed RoundCube Webmail 0.4.1
The configuration is:
1) Apache2:
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride None
Options FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
RewriteLogLevel 2
2) Roundcube is unpacked into /var/www, all files and directories chowned to roundcube:roundcube (roundcube is non-shell user), temp and logs directories chowned to www-data:www-data
3) Disabled some insecure functions in php.ini, configured open_basedir = /var/www, disabled allow_url_fopen
4) I have .htaccess files preventing access to config, logs, temp directories.
I'm using some plugins, I created .htaccess files preventing access to config.inc.php for all plugins I use.
5) In password plugin access to config.inc.php (with DSN to pgsql) is roundcube:www-data (640).
My question is simple, what more can I do to secure better my installation of Roundcube ? Can you guys post some advice here for new RoundCube administrator:)?
Thanks in advance
Michael