Protecting data directory

All configuration files of the application, as well as temporary ones (attachments, logs, etc.) are stored in data directory, so it's important to make sure that users cannot access that directory over the Internet directly.

To check if the directory is open for browsing, navigate to URL obtained by appending /data/ to main URL of your WebMail install. If you see a web server error page, everything is fine and data directory is secure. But you need to do something if you get the following message:

If you see this, your Application data folder may not be
secured properly and everybody on the web can view it.

Refer to the installation instructions on how to secure this folder
or move into the location which is not visible from the web.

Application uses .htaccess for basic protection but it might not work if you're using a web server other than Apache, and even Apache can be configured to disregard .htaccess files. The file has the following content:

deny from all

and if it doesn't work for you, you'll need to modify Apache configuration, either by supplying the above configuration for data directory, or by including Limit option to AllowOverride directive.

If you're using nginx, add the following to your domain configuration file:

location ^~ /data {
 deny all;
}

There's another approach for protecting data directory, which can be particularly useful when you don't have access to web server configuration files. You can move data directory to a different location, and rename it to something else. Ideally, the new location should not be accessible over the Internet.

To let WebMail know the new name and location of the data directory, create inc_settings_path.php file in root WebMail dir, it should have the following content:

<?php
$dataPath = '/new/location/of/data';

where $dataPath value contains filesystem path of data directory location, it can be either absolute or relative path.