Hi bamse and welcome to WebmasterWorld.

I'm not sure if I'm understanding your question properly but this is how I have handled it for the same scenario you are describing.

In apache2.conf (your config file may be different depending on your setup, can also be httpd.conf, or a few others):

<Directory "/var/www/vhosts/default/htdocs">
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
</Directory>

Whether or not that is the best manner to handle it or not I'm not positive but it serves my purpose. Also it's better to just serve an access 403 forbidden because anyone navigating to those URI shouldn't be there anyway. It would just be someone up to mischief or a stray bot. No point on serving up a page that is going to consume bandwidth.

However, one of the advanced Apache forum folks here might jump in behind me and tell you (and me) why that might not be the best way of handling it so hang tight.

I just reread your OP again after posting and the lights went on (and coffee had just kicked in) -- I think my reply is not answering your question because it assumes multiple VirtualHosts but you did state you only have one.

Thank you SevenCubed. I think you understood my question properly. So you mean to create a default vhost to handle all requests which don't match any other vhosts and which is not accessible from the outside world?

BTW, how (if at all) did you handle the reverse scenario: for instance somebody accessing IMAPS at www.example.com:993 instead of mail.example.com:993 or somebody querying the DNS at mail.example.com:53 ?

Hmmmmmm we obviously have different setups. I didn't have to create a default vhost it was already there. I'm using Plesk to perform partial site duties (SSH commands, arguments and options for the rest).

By default Plesk creates a default domain which it appears to refer to afterward as a template for creating new domains (ask me how I found out the hard way).

So I didn't have to create a default it was just there but was accessible in ways I didn't want. But, it was a concern for me in ways you mentioned above so what I posted above was my solution to keep gremlins out. I had to allow 127.0.0.1 because the system appears to interact with it in some way that I don't fully understand (but understand much more than I did prior to deleting it). Ha, it looked like spare parts!

As for the other points you've mentioned I haven't considered them and now feeling apprehensive about checking into it right now due to being in a state of shell-shock from a week-long period of configuring my new server to get it setup and finally running smoothly.

I was just beginning to breathe again. I had gotten into a state of holding my breath with every new configuration input and restart command. It was so frequent that I stopped breathing for a week until I saw another member's post somewhere where (s)he typed out in CAPS - BREATHE. And I did once again ;)

Oh dang my monkey mind is getting me OT again...retreating.

Rechecking, I also have a default vhost which something or somebody (me) must have disabled. Like on your box, the default was made for another purpose though.