Protecting data directory

All configuration files of the application, as well as temporary ones (attachments, logs, etc.) are stored in data directory, so it's important to make sure that users cannot access that directory over the Internet directly.

Application uses .htaccess for basic protection of datadirectory but it might not work if you're using a web server other than Apache, and even Apache can be configured to disregard .htaccess files. The file is located in data directory and has the following content:

deny from all

and if it doesn't work for you, you'll need to modify Apache configuration, either by supplying the above configuration for data directory, or by including Limit option to AllowOverride directive.

If you're using nginx, add the following to your domain configuration file:

location ^~ /data {
 deny all;
}

There's another approach for protecting data directory, which can be particularly useful when you don't have access to web server configuration files. You can move data directory to a different location, and rename it to something else. Ideally, the new location should not be accessible over the Internet.

To let WebMail know the new name and location of the data directory, create inc_settings_path.php file in root WebMail dir, it should have the following content:

<?php
$dataPath = '/new/location/of/data';

where $dataPath value contains filesystem path of data directory location, it can be either absolute or relative path.