I have email disabled for the domain and so if I select ‘email only’ when creating the user will their only access be to view a password protected directory? Or is there some other ability or security issue I should be aware of?
So I guess if they’re created with ‘mail only’ (via web UI) and FTP is disabled and they aren’t specially given access to a DB, they’ll only be able to access the protected web directories specified for them? Just want to check this assumption is correct.
As far as Apache is concerned, you really don’t need a mail or FTP user for protected directories. It can all be done with .htaccess and .htpasswd. The specifics are slightly different depending on the OS, but it’s simple regardless.
I have no idea how this might mess with Virtualmin, however, since Virtualmin does provide that functionality.
In any case, I can’t come up with any realistic drawback to just doing it the way Virtualmin suggests. There’s something to be said for making things easy.
For anyone wanting to do the same in future you just need to create a .htaccess file with:
AuthUserFile "/home/domain-or-path/public_html/.htpasswd"
AuthType Basic
AuthName "Please enter your username and password"
require valid-user
<Files .htpasswd>
deny from all
</Files>
and a .htpasswd file with the passwords. Both files in public_html.
Personally, I prefer putting .htpasswd in a directory a level above the public Web root. it can still be referenced by .htaccess anywhere in the user’s /home/ directory.