Hi,
I've installed v 0.3.1 and assigned ownership of every file/dir to apache (chmod -R apache:apache roundcube). Is it correct?
Then, as recommended in installation instructions, I checked that access through webserver to the following directories is denied (via .htaccess):
* /config
* /temp
* /logs
Should I do other actions to secure the installation?
Are there any security best practices?
Thanks
Guido
no one...?
You've secured the right directories. Besides that, you could also use a SSL-certificate on your web server for your roundcube website.
You should also consider setting up a fail2ban jail for your imap server software as well as Round Cube. Setting it up just for the imap software isn't enough since roundcubemail is most probably installed on the same server as the imap server, and fail2ban will never lock out localhost.
There have been a few posts that you can search for with Google that detail how to set this up and get the filters working so that fail2ban parses the Round Cube logs and bans the corresponding remote IP instead of localhost.