Screen shots

Junk Email Filter

Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

The SquirrelMail - Microsoft Exchange Server FAQ

Keith Hatfull

v0.1.3, October 11, 2002

Want to give your mobile Exchange users the convenience of webmail without the overhead and headaches of Outlook Web Access? SquirrelMail is your answer for quick, easy, Exchange e-mail access on the road.

It is recommended that you use an SSL implementation, as without you will be sending your NT username and password in clear text format across the network. This document is targeted at single-server Exchange implementations, running SquirrelMail and it's webserver on a separate Linux machine. If you have multiple servers, these items will apply to you however; you have additional challenges that are discussed later.

Many questions about using Exchange with IMAP, LDAP, SMTP and other Internet protocols can be found at the TechNet knowledge base site at:


What versions of Exchange work with SquirrelMail?

Exchange included fully IMAP4rev1 compliant IMAP support in v5.5 and later. Previous versions of Exchange do not have IMAP functionality. Check the following white paper for details on the RFC compliance for the various internet protocols spoken by Exchange:


Can I let my SquirrelMail users access the Exchange Global Address List?

Yes, via LDAP support in PHP4. You must configure PHP4 with LDAP support (see the PHP4 documentation and SquirrelMail README for details) and configure SquirrelMail to use your Exchange Server as an address book. All SquirrelMail defaults seem to work fine, including a blank for the base DN), you should only have to define the DNS name of your Exchange Server to the SquirrelMail configuration script.

In Exchange 5.5 I could not get my global address book to come up. I found out that it was using my domain name for the ou and o. I added that to the SquirrelMail configuration script and everything worked. I found out what my base DN was via the Ldp.exe utility on MS Windows 2000. see: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q255602&;

Added by Bishop

Actually this is much more difficult than the author would have you believe. I have been struggling to get this to work with my current set up for a while, and I wanted to share what I've learned. I wanted to use a win2k DC with my address book. I'm familiar with OpenLdap so I was struggling with Microsoft's AD/LDAP hybrid. Basically the only solution I found was to edit a line in the ./functions/abook_ldap_server.php file (line 98). This was based off of a posting that I saw at


However, genoz made a little slip. The code should be changed to:

if(!@ldap_bind($this->linkid,"USERNAME","PASSWORD")) {

Where username is some user that has read access to that part of the tree. An example is:


Or create a master LDAP account within Active Directory and modify the script to be:

if(!@ldap_bind($this->linkid,"ldapquery@domain.com","ldapquerypassword")) {

You can modify your security settings for parts of your LDAP tree using the ADSIEdit utility provided in the Support Tools. Also ldp.exe is good too, which is also in the support tools.

The setup for the address book in my case didn't work for a blank baseDN in the SquirrelMail configure script. You can use CN=Users,DC=company,DC=com or whatever the location of your users container is in the directory. You can use the aforementioned ADSIEdit tool to determine the correct path to this container.

Hope this helps...


According to Bishop note about AD, here is my version of change in "functions/abook_ldap_server.php".

Instead of line:

if(!@ldap_bind($this->linkid)) {

I've put:

global $onetimepad;
$username = $_SESSION['username'];
$password = $_COOKIE['key'];
$password = OneTimePadDecrypt($password, $onetimepad);
$domain = 'my.domain.com';
$auth_user = $username . '@' . $domain;
if(!@ldap_bind($this->linkid,$auth_user,$password)) {

This change works for me quite good ;) (remember that GAL is placed on server with Global Catalog and port is 3268 - non standard LDAP port)

I've installed SquirrelMail but am having problems logging in, what could be wrong?

There are few authentication issues. Exchange's IMAP implementation authenticates you using a combination of your NT domain username, NT domain password, and your Exchange mailbox alias. The issues below apply to all IMAP clients when used with Exchange, not just with SquirrelMail

  • If you use a "." in your mailbox alias to facilitate the automatic generation of SMTP mail addresses for your mailboxes, you will need to remove the "." from your mailbox alias as the "." is used as an IMAP folder delimiter. You can remove the "." from an alias name as this will not affect existing SMTP addresses, nor will it affect your user's display name in the GAL as the GAL uses the display name, not the mailbox alias. Of course, YMMV so test this yourself.
  • If your NT domain username and mailbox alias are the same, you should use your normal domain credentials to login. Exchange makes some assumptions about your domain and mailbox alias to attempt to authenticate you.
  • If your mailbox alias is DIFFERENT than your NT domain username it gets very tricky. In order to authenticate to Exchange you must provide a qualified login name in the form of "domain/username/alias". In other words, if the NT domain is "sm", the username is "squirrel", and the mailbox alias is "smmailbox" you would login to SquirrelMail with "sm/squirrel/smmailbox" and the domain password for user "squirrel". You will authenticate fine...however, SquirrelMail will try to create a preferences file for this username which it will not be able to do since we gave it a Unix path for the username. There is a workaround for this however.
  • In the SquirrelMail data directory you would have to create, using the previous example, a directory called "sm", and a directory called "squirrel", both writeable by the webserver. When the user logs into SquirrelMail a preferences file called smmailbox.pref will be created under the "squirrel" directory. The same is true for the addressbook file and sig file as they are all created with a relative reference to the SquirrelMail data directory. You would have to create a separate directory under "sm" for each user in the same manner. While a workaround, it does work and will keep you from changing your usernames or aliases.
  • (Added by Torsten) Alternatively you can add a little line (marked with +) at src/redirect.php to convert the "/" to "\\". This works like a charme here for us.
  sqGetGlobalVar('login_username', $login_username);
+ $login_username = strtr($login_username, '/', '\\');
  sqGetGlobalVar('secretkey', $secretkey);

When I try to send mail via SMTP on Exchange I get the error message "Error connecting to SMTP Server. 111: Connection refused"

You have routing restrictions set in the Internet Mail Service Routing tab that are not allowing the SquirrelMail machine to relay mail via SMTP on the Exchange server. You must install Exchange Service Pack 1 or later to gain functionality to allow clients to relay (you should have this functionality with or without SquirrelMail to ensure your Exchange server is not used for spamming by outside mailers). Once installed you can restrict (or allow) relay in a variety of ways. You should allow relay for the IP address of your SquirrelMail machine. More information can be found in the following TechNet article:


When I send mail via SquirrelMail using SMTP on the Exchange Server it takes what seems like a very long time.

There are several reasons this might happen. When the SMTP service in Exchange receives a request to forward mail from your SquirrelMail machine, it wants to determine a hostname for the machine. In keeping with NT name resolution convention it will attempt the following to find a name:

  1. See if it is itself.
  2. Check the local hosts file.
  3. Check DNS for a hostname for the IP address.
  4. Do an NBNS lookup for the machine.

If the SquirrelMail machine isn't in the NT Server's HOSTS file or the SquirrelMail machine's name can't be found with the reverse DNS lookup, it will resort to finding a NetBIOS name by querying the SquirrelMail machine three times, waiting 1.5 - 2.0 seconds each time for a response, adding 4.5 - 6.0 seconds. Either add the SquirrelMail machine to the Exchange Server's HOSTS file (best), be sure the hostname can be retrieved via reverse DNS (better), or, if you don't want a HOSTS file or reverse DNS, install Samba on the SquirrelMail machine so that it can respond.

I have multiple servers in my Exchange organization. I can login but not see any mail or get errors concerning a missing mailbox. What could be wrong?

You need IMAP referral in your Exchange implementation. Microsoft's implementation of IMAP referral is somewhat incomplete in Exchange 5.5. In order to use SquirrelMail in this manner you could do a few things.

  • Use the Virtual Host Login (vlogin) plugin (http://squirrelmail.org/plugin_view.php?id=47). This plugin can be configured to point to different Exhange servers based on the username, the domain, or any combination thereof. Please review plugin documentation carefully.
  • Use parallel installs of SquirrelMail on the same Linux machine to point to each Exchange server. You would have to use a virtual website setup with the Linux webserver in order to do this. This type of setup is beyond the scope of this document. Some experimentation would be in order, please contact the maintainer if you attempt this.
  • Use Microsoft's partial IMAP referral implementation. This would involve replicating mailboxes across all servers you want to participate in the referral process. Detailed information concerning this process can be found in the following TechNet article:


Despite what the TechNet article says, mailbox replication does not exist in Exchange. A better approach would be to support referrals in SquirrelMail. This is quite easy and in fact I have it working on an experimental basis. My Exchange server responds with

? OK [REFERRAL imap://lawco%2Fwvogel;AUTH=*@durban-1.gibb.co.za/] LOGIN completed.

Which gives us the server to login to. Here's my code snippet from imap_general.php.

$read = sqimap_run_command ($imap_stream, $query, false, $response, $message);
/* Check for Exchange referrals */
if (strpos($message,"REFERRAL") > 0) {
  $start_pos = strpos($message,"AUTH=*@");
  $end_pos = strpos($message, "/");
  if ($start_pos && $end_pos ) {
    $imap_server_address = substr($message,$start_pos+7,$end_pos-($start_pos+7));
    $imap_server_address = $response_text;
    $imap_stream = sqimap_login ($username, $orig_password, $imap_server_address, $imap_server_address, $imap_port, $hide);
    return $imap_stream;

Added by Miguel

A comment to code above regarding referral. I modified the code, it did not work for me, I changed the search string, added code to keep the original password so it was passed correctly and remove the extra variable that was passed to the login function. Now I correctly log onto either of the exchange servers we have. Here is the snippet of code.

 /* Decrypt the password */
    $orig_password = $password;
$read = sqimap_run_command ($imap_stream, $query, false, $response, $message);
/* Check for Exchange referrals */
if (strpos($message,"REFERRAL") > 0 ) {
  $start_pos = strpos($message,"AUTH=*@");
  $end_pos = strpos($message, "/]");
  if ($start_pos && $end_pos ) {
    $imap_server_address = substr($message,$start_pos+7,$end_pos-($start_pos+7));
    $imap_stream = sqimap_login($username,$orig_password,$imap_server_address, $imap_port, $hide);
     return $imap_stream;

After I got LDAP setup and working with the GAL, I get an "Administrative Limit Exceeded" error when I search the GAL via SquirrelMail with a "*" to list all entries. What's wrong?

In the Exchange Administrator, under Protocols -> LDAP -> Search tab, you need to configure LDAP to return a number of search results greater than the number of entries in your GAL. Be very careful if you have a large GAL as you WILL return all entries. Several thousand could result in many megabytes of data being transferred.

Error message " Bad or malformed request. Query: Server responded: Protocol Error: "Illegal command specified for UID command" " displayed when trying to view any folder with messages in it.

Exchange 5.5 IMAP implementation does not support UID command the way SquirrelMail is using it. Change $uid_support to false in config.php.

Error message " Bad or malformed request. Query: Server responded: Protocol Error: "Unidentifiable command specified" " displayed when trying to view any folder with messages in it.

Exchange 5.5 IMAP implementation does not support server side sorting. Change $allow_server_sort to false in config.php.

English Exchange 5.5 server and English Outlook client working settings (YMMV)

English Exchange 5.5 server and English Outlook client working settings in config.php:

$imap_server_type       = 'exchange';
$optional_delimiter     = '.';
$default_folder_prefix          = '';
$trash_folder                   = 'Deleted Items';
$sent_folder                    = 'Sent Items';
$draft_folder                   = 'Drafts';
$show_contain_subfolders_option = false;
$force_username_lowercase = true;
$allow_thread_sort        = false;
$allow_server_sort        = false;
$allow_charset_search     = false;
$uid_support              = false;

Exchange 2003 (IMAP4) server settings

The default 'exchange' config settings didn't seem to work for my setup, so here's what I had to do to get things working:

$imap_server_type       = 'exchange';
$optional_delimiter     = '';
$default_folder_prefix          = '';
$trash_folder                   = 'Deleted Items';
$sent_folder                    = 'Sent Items';
$draft_folder                   = 'Drafts';
$show_contain_subfolders_option = false;
$force_username_lowercase = true;
$allow_thread_sort        = false;
$allow_server_sort        = false;
$allow_charset_search     = false;
$uid_support              = false;

Messages with attachments not showing in Exchange

See [KB266286]

Other useful items:

TechNet Articles

  • Protocol Authentication on Exchange Server [1]
  • How to Stop Internet Mail Service from Relaying Junk E-mail Without Preventing Other Mail Services [2]
  • Verifying Basic IMAP Connectivity Using Telnet [3]
  • How to Activate Protocol Logging for POP3 and IMAP4 [4]
  • Folder with Slash Mark (/) Cannot Be Seen By IMAP4 Clients [5]
  • Internet Message Access Protocol Clients Unable to See Attachments [6]
  • Store Crashes When Rich Text Is Enabled over the IMAP4 Protocol [7]
  • IMAP4 Client/Server Commands [8]
  • Unique Alias Name Required for POP3/IMAP4 Client Logons [9]
© 1999-2016 by The SquirrelMail Project Team