Roundcube big security issue.

.htaccess is server by the webservers Apache and Litespeed. CWP panel uses nginx to handle all requests coming to the panel and included services (webmail, phpmyadmin, etc). That is why .htaccess is ignored by CWP.

Anyway, if I remove the rule from:
/usr/local/cwpsrv/conf.d/webmail.conf
then I can access the logs using:
https://webmail.domain.com/logs/errors.log
same is applied for the rule from @rcschaff.

Do you have some test system and can you provide me with access to it ?

Sent you a DM.

Just out of curiosity I deleted the /usr/local/cwpsrv/var/services/roundcube/logs/errors.log, and it's still trying to download it form somewhere.

Not sure how I got sucked into this blackhole, it's 0113...