- Ideally, you should not have anyone allowed to be logged in on the web server except administrators.
- When picking directories, make sure to pick ones that other people on your system can not view. You should pick as tight of permissions as possible, but still make sure that SquirrelMail works. Also, make sure that the ownership of the directory and files are correct and restrict people from reading the files. See DataAndAttachmentsDirectories for more information.
- SquirrelMail runs fine over HTTPS. Check your web server documentation for how to force the pages to be served only over HTTPS. Apache's mod_rewrite might be of some use, or you can modify login.php to force HTTPS connections. This can be achieved by using the [Secure Login] plugin.
- SquirrelMail can talk to IMAPS servers, but it isn't supported right-out-of-the-box. Try looking at SquirrelMailIMAPS for more information.
- You can use TCP wrappers to make sure your mail server doesn't talk to anyone except the web server (to further deny access and make things safer).
- If you run Apache with the PHP module and use virtual servers based on hostname, all of the servers run as the same user. Some other user could just make a PHP script to get information from your data directory and your configuration. If you use virtual servers based on IP, you should use the User/Group command in Apache. Ideally, you won't host user web pages on the same server that SquirrelMail runs on. Or use php_admin_value open_basedir "/var/www/html/virtual1" for all your virtual server configuration files. It can also secure not only your SquirrelMail installation also your entire server.
- There is a possibility to protect end users from giving away their password when logging in from Internet cafés where the Microsoft Internet Explorer "auto complete" feature is switched on. In older SquirrelMail versions, change the login line in src/login.php as follows:
- <input type="password" autocomplete="off" name="" />
- In newer SquirrelMail versions, change functions/forms.php as follows:
- return addInputField('password', $name , $value, ' autocomplete="off"');}