Most apache setups do not list .inc files as being "executable" ,
and therefore will output the content of these files directly to
the browser upon request. This will show all content of the file,
including your mysql passwords.
To fix this security flaw, simply change the mysql.inc and vmail.
inc files to .inc.php, and make the neccessary changes in the top