Roundcube big security issue.

.htaccess is server by the webservers Apache and Litespeed. CWP panel uses nginx to handle all requests coming to the panel and included services (webmail, phpmyadmin, etc). That is why .htaccess is ignored by CWP.

Anyway, if I remove the rule from:
/usr/local/cwpsrv/conf.d/webmail.conf
then I can access the logs using:
https://webmail.domain.com/logs/errors.log
same is applied for the rule from @rcschaff.

Do you have some test system and can you provide me with access to it ?

Sent you a DM.

Just out of curiosity I deleted the /usr/local/cwpsrv/var/services/roundcube/logs/errors.log, and it's still trying to download it form somewhere.

Not sure how I got sucked into this blackhole, it's 0113...

Thanks 

It now presents '403 Forbidden'.

✅ SOLVED – Roundcube logs publicly accessible via /logs/errors.log (CWPpro 0.9.8.1201)

If you're seeing this issue:

Code: [Select]

https://domain.com/webmail/logs/errors.log
https://domain.com/roundcube/logs/errors.log
...and `.htaccess` isn’t being respected by `cwpsrv` or your webmail backend, here's a permanent fix that works regardless of web server behavior.

🛠️ Solution: Disable Logging from Within Roundcube 
This will stop Roundcube from writing to `errors.log` entirely.

Step-by-step instructions:
[olist]

• SSH into your server
• Edit the Roundcube config file:

Code: [Select]

nano /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
[/li]
[li]Add the following at the bottom:[/li][/list]

Code: (php) [Select]

// Disable all Roundcube logging
$config['log_driver'] = 'null';       // Prevent writing logs
$config['syslog_id'] = null;          // Disable syslog output
$config['log_logins'] = false;        // Do not log logins
$config['log_session'] = false;       // Do not log sessions
$config['log_authfail'] = false;      // Do not log failed logins
$config['smtp_log'] = false;          // Disable SMTP log
$config['imap_log'] = false;          // Disable IMAP log
[/li]
[li]Save and exit (Ctrl+O, Enter, Ctrl+X)[/li][/list]
[/olist]

✅ No restart needed — changes are applied immediately.

🧱 Why this works: 
Disabling logging at the application level ensures nothing is written to disk, eliminating the exposure even if `.htaccess` is ignored.

🔍 Tested On:

Code: [Select]

CWPpro:        0.9.8.1201
Roundcube:     1.4.11 & 1.5.6
Apache:        2.4.62
PHP-FPM:       8.2.28
MariaDB:       10.11.11
OS:            Rocky Linux 8.10
Stack:         Nginx → Apache (forced PHP-FPM)

Hope this helps others secure their Roundcube installs on CWP. 
Let me know if you need a web server rule version as well.

Jaspreet Singh 

UPDATE – Correction to my previous response

In my earlier post, I suggested disabling Roundcube logging using the following entries in `config.inc.php`:

Code: (php) [Select]

$config['log_driver'] = 'null';
$config['log_logins'] = false;
$config['log_session'] = false;
$config['log_authfail'] = false;
$config['smtp_log'] = false;
$config['imap_log'] = false;

While these are valid config parameters, they do not prevent Roundcube from writing to errors.log when it's running under CWP’s internal `cwpsrv` backend.

The correct fix is located in the core bootstrap file:

Code: [Select]

/usr/local/cwpsrv/var/services/roundcube/program/lib/Roundcube/bootstrap.php

At line 31, change:

Code: (php) [Select]

'log_errors' => true,
to:

Code: (php) [Select]

'log_errors' => false,

This completely disables error logging in Roundcube and prevents `errors.log` from being generated or written to.

Reference: https://www.roundcubeforum.net/index.php?topic=30798.0 – Roundcube Forum, February 23, 2024