SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
UPDATE YOUR
EMAIL SECURITY
"IUEU"

If you are running PHP 4.3 or later with the OpenSSL extension, then run SquirrelMail configuration utility (conf.pl), enable Secure TLS option in IMAP or SMTP configuration and set port settings to use IMAP or SMTP over SSL ports. IMAP over SSL uses 993 port, SMTP over SSL uses 465 port. SquirrelMail uses PHP TLS transport. It requires SSLv3 or TLS support on SSL enabled server. STARTTLS extensions are not supported. More information can be found in doc/authentication.txt and SquirrelMail Administrator's Guide.

If you can't use PHP with the OpenSSL extension, try tunneling SquirrelMail through Stunnel. Stunnel allows to add SSL support to client that doesn't support SSL. The biggest downside with Stunnel is the amount of overhead to establish a secure connection to the IMAP server, especially when we hit the IMAP server so frequently (nearly every page click).

If your mail server is the same as your web server, there is no need for the encrypted communication. It's useless. Just toss it out the window, if you can.

If your servers are separate or if you must force encrypted communication to your IMAPS server, try using Stunnel, creating an SSH tunnel or using VPN. We suggest the SSH tunnel or VPN. The reason is that if you just wrap both ends in Stunnel, you have to setup an SSL connection, do your little IMAP request, then tear down the SSL connection.

Of course, SquirrelMail is less than optimal when it comes to IMAP connections (it makes a new one for every IMAP request). This would create a significant amount of overhead. With an SSH tunnel, it is secure like an SSL connection, but it is set up once, and stays up, probably until one of the systems is rebooted. Much more efficent. All you have to do is:

ssh -N -f -L1430:xxx.xxx.xxx.xxx:143 hostname

Where "xxx.xxx.xxx.xxx" is the IP address of the IMAP server and "hostname" is the hostname/IP address of the SSH server. In most cases the IMAP server and SSH server will be the same, but in my case I tunnel through a firewall, so the IP address of the IMAP server is the local IP address of the IMAP server (as seen from the SSH server).

This command creates a tunnel from port 1430 on the client machine to port 143 on the server side, so you just configure SquirrelMail on the client to connect to port 1430, and it tunnels through SSH to port 143 on the server.

The drawback of using SSH port forwarding as opposed to Stunnel is that you must be able to SSH/login to the IMAP server you are connecting to. If this is not possible -- e.g. if you don't have login access on the IMAP server, you must use Stunnel. To set up a Stunnel connection, execute this command:

/usr/sbin/stunnel -P/tmp/ -c -d 10143 -r mail.hostname.com:993

You should substitute mail.hostname.com with the hostname of the IMAP server you are connecting to. This line assumes that the IMAP server is already configured to support encrypted communication.

For newer versions of Stunnel, edit stunnel.conf and add an entry to the IMAP tunnel. The following entries should be sufficient for most purposes:

   client = yes
   ...
   [squirrelmail_to_imaps]
   accept = localhost:10143
   connect = localhost:993

Of course, if you are accessing a nonlocal IMAP server, you should change localhost to suit your needs.

© 1999-2010 by The SquirrelMail Project Team