All configuration files of the application, as well as temporary ones (attachments, logs, etc.) are stored in data directory, so it's important to make sure that users cannot access that directory over the Internet directly.
Application uses .htaccess for basic protection of data
directory but it might not work if you're using a web server other than Apache, and even Apache can be configured to disregard .htaccess files. The file is located in data
directory and has the following content:
deny from all
and if it doesn't work for you, you'll need to modify Apache configuration, either by supplying the above configuration for data directory, or by including Limit
option to AllowOverride directive.
If you're using nginx, add the following to your domain configuration file:
location ^~ /data {
deny all;
}
For IIS, you can create web.config
file in main WebMail Lite directory with the following content:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="securefolder" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Historically, there's another .htaccess file found in root directory, and it holds the following section:
<Files *config.json*>
order allow,deny
deny from all
</Files>
That file only protects configuration files, while data/.htaccess
file disallows access to data
directory entirely.
NB: When you log into admin interface of WebMail Lite, it attempts to determine if data
directory can be accessed over the web, and if so, will issue a security warning.
There's another approach for protecting data directory, which can be particularly useful when you don't have access to web server configuration files. You can move data directory to a different location, and rename it to something else. Ideally, the new location should not be accessible over the Internet.
To let WebMail Lite know the new name and location of the data directory, create inc_settings_path.php
file in root WebMail Lite dir, it should have the following content:
<?php
$dataPath = '/new/location/of/data';
where $dataPath value contains filesystem path of data directory location, it can be either absolute or relative path.
NB: If you have used an automated installer (for example, by installing the product from APT repository) it's recommended to copy data directory instead of moving it, or at least have an empty data directory at the initial location, to prevent issues with upgrade in the future.