WebMail Pro documentation

Protecting data directory

All configuration files of the application, as well as temporary ones (attachments, logs, etc.) are stored in data directory, so it's important to make sure that users cannot access that directory over the Internet directly.

Application uses .htaccess for basic protection of data directory but it might not work if you're using a web server other than Apache, and even Apache can be configured to disregard .htaccess files. The file is located in data directory and has the following content:

deny from all

and if it doesn't work for you, you'll need to modify Apache configuration, either by supplying the above configuration for data directory, or by including Limit option to AllowOverride directive.

If you're using nginx, add the following to your domain configuration file:

location ^~ /data {
 deny all;

For IIS, you can create web.config file in main WebMail Pro directory with the following content:

          <add segment="securefolder" />

Historically, there's another .htaccess file found in root directory, and it holds the following section:

<Files *config.json*>
	order allow,deny
	deny from all

That file only protects configuration files, while data/.htaccess file disallows access to data directory entirely.

NB: When you log into admin interface of WebMail Pro, it attempts to determine if data directory can be accessed over the web, and if so, will issue a security warning.

There's another approach for protecting data directory, which can be particularly useful when you don't have access to web server configuration files. You can move data directory to a different location, and rename it to something else. Ideally, the new location should not be accessible over the Internet.

To let WebMail Pro know the new name and location of the data directory, create inc_settings_path.php file in root WebMail Pro dir, it should have the following content:

$dataPath = '/new/location/of/data';

where $dataPath value contains filesystem path of data directory location, it can be either absolute or relative path.

NB: If you have used an automated installer (for example, by installing the product from APT repository) it's recommended to copy data directory instead of moving it, or at least have an empty data directory at the initial location, to prevent issues with upgrade in the future.