Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Enable encrypted SquirrelMail on Server OS X Server
Tiger only hintI set up my mail server on OS X 10.4 and enabled SquirrelMail to provide webmail functionality. In my Mail Preferences for authentication, I had disabled LOGIN and PLAIN, so passwords wouldn't be sent in the clear when people check their mail.

With these settings, I could not login to my webmail. Using the conf.pl script in the squirrelmail directory, I could not change the authentication method, so I had to change it manually like this:

Open Terminal and type pico /etc/squirrelmail/config/config.php. Change $imap_auth_mech = 'login'; to $imap_auth_mech = 'cram-md5'; (or whatever you set as your method for authentication). Save and close the document. Now you can login to SquirrelMail using your username and password....
    •    
  • Currently 1.70 / 5
  You rated: 1 / 5 (10 votes cast)
 
[13,222 views]  

10.4: Enable encrypted SquirrelMail on Server | 8 comments | Create New Account
Click here to return to the '10.4: Enable encrypted SquirrelMail on Server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Enable encrypted SquirrelMail on Server
Authored by: aamann on Jul 01, '05 12:04:49PM

You might also consider serving Squirrelmail through a SSL connection - this way all the data will be transferred encrypted, not just the passwords...



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: jelockwood on Jul 01, '05 01:12:58PM

I am not sure I am seeing much use for this tip.

As far as I can see it merely encrypts the password sent from Squirrelmail to the IMAP server. However I would expect in most cases (certainly in my own case) both Squirrelmail and my IMAP server are on the same server and therefore this traffic does not go across the Internet. In any case, the user still has to type their password in to a web-browser and have THAT sent across the Internet to Squirrelmail, and with this tip THAT aspect is still completely unencrypted.

As aamann said, really the only way to fully secure this is to use SSL encryption for the entire Squirrelmail system.

This tip might be of use for those people who's IMAP server insists on an encrypted password but they should still be aware of these other issues.



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: stingerman on Jul 01, '05 05:17:05PM

Use the VPN service and only allow access via the private network.



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: aaulich on Jul 02, '05 04:21:24AM

Hello,

exactly, telling squirrelmail to use CRAM-MD5 is not of much use as the password you enter in the login screen is sent in cleartext through the net.

Use SSL with your website instead. You can also set up a redirect from http://example.com/webmail to https://example.com/webmail to make sure you don't use an insecure connection by accident. Or you just disable webmail for the http:// version of your site.

What ever you choose to do, SSL is the key to secure webmail access

Cheers, Andre

[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: overrider on Jul 03, '05 09:08:08PM

hey. well the only use of this hint is for those who wonder : why cant i get squirrelmail to work without having to use PLAIN passwords? no more than that.



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: welch on Jan 24, '06 07:54:06PM

I was one of the humble souls who spent a bit of time wondering "why cant i get squirrelmail to work?" without knowing it was the PLAIN passwords, so this hint was much welcomed by me. It fixed my problem. (For some reason I am unable to enable PLAIN authentication for IMAP service on my 10.4.4 Server machine. The Server Admin app spins and spins, and eventually reverts back to the Kerberos and CRAM-MD5 that it was originally set to, "forgetting" that I had checked PLAIN....)



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: CarlosD on Jul 02, '05 12:18:03PM

I think this is a great and useful hint, though a bit misunderstood.

The point of allowing encrypted communication between SquirrelMail and the mail server is that you can now disable the non-encrypted access methods without sacrificing WebMail.

For example, I set up my company's email to require encryption for IMAP and SMTP from every client (internally and externally accessed). I wanted to further restrict access to just cram-md5, but, before this hint, I couldn't without sacrificing WebMail, so I had to leave other methods open.

Now, I expect to be able to lock down my mail server all the way as I intended and still offer all the service I intended. Thanks to the original poster! :)

---
Carlos D
===
my music
http://music.altamar.dynalias.org/



[ Reply to This | # ]
10.4: Enable encrypted SquirrelMail on Server
Authored by: tknospdr on Jul 04, '05 12:42:07AM
Wouldn't it be easier to just run the cmd line config script rather than to manually change files?
sudo /private/etc/squirrelmail/config/conf.pl


[ Reply to This | # ]