==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian 8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
==============================
Hey ZhangHuangbin, just letting you know: the default apache2.conf generated by iRedmail installation has this included:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>I think you should remove "Indexes" from this, as it allows any anonymous web visitor to list any directory that is put manually in /var/www/, which is the folder that most people will use to add another website after iredmail installation is done I guess 
Best regards.