1 (edited by Neutro 2015-08-27 02:51:30)

Topic: Apache listing enabled by default on www directory, should be disabled

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian 8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
==============================

Hey ZhangHuangbin, just letting you know: the default apache2.conf generated by iRedmail installation has this included:

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

I think you should remove "Indexes" from this, as it allows any anonymous web visitor to list any directory that is put manually in /var/www/, which is the folder that most people will use to add another website after iredmail installation is done I guess wink

Best regards.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Apache listing enabled by default on www directory, should be disabled

iRedMail doesn't generate 'apache2.conf', it's installed by apache package.

Personally, i don't think auto index is a risk.