✅ SOLVED – Roundcube logs publicly accessible via /logs/errors.log (CWPpro 0.9.8.1201)If you're seeing this issue:
https://domain.com/webmail/logs/errors.log
https://domain.com/roundcube/logs/errors.log
...and `.htaccess` isn’t being respected by `cwpsrv` or your webmail backend, here's a
permanent fix that works regardless of web server behavior.
🛠️ Solution: Disable Logging from Within Roundcube This will stop Roundcube from writing to `errors.log` entirely.
Step-by-step instructions:[olist]
- SSH into your server
- Edit the Roundcube config file:
nano /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
[/li]
[li]Add the following at the bottom:[/li][/list]
// Disable all Roundcube logging
$config['log_driver'] = 'null'; // Prevent writing logs
$config['syslog_id'] = null; // Disable syslog output
$config['log_logins'] = false; // Do not log logins
$config['log_session'] = false; // Do not log sessions
$config['log_authfail'] = false; // Do not log failed logins
$config['smtp_log'] = false; // Disable SMTP log
$config['imap_log'] = false; // Disable IMAP log
[/li]
[li]Save and exit (
Ctrl+O, Enter, Ctrl+X)[/li][/list]
[/olist]
✅ No restart needed — changes are applied immediately.🧱 Why this works: Disabling logging at the application level ensures nothing is written to disk, eliminating the exposure even if `.htaccess` is ignored.
🔍 Tested On:CWPpro: 0.9.8.1201
Roundcube: 1.4.11 & 1.5.6
Apache: 2.4.62
PHP-FPM: 8.2.28
MariaDB: 10.11.11
OS: Rocky Linux 8.10
Stack: Nginx → Apache (forced PHP-FPM)
Hope this helps others secure their Roundcube installs on CWP.
Let me know if you need a web server rule version as well.
Jaspreet Singh