SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

uw-imapd server disables plain text logins by default in 2002 or newer versions. This was done upstream to follow security recommendations by IETF (The Internet Engineering Task Force).

You can see this by telneting to your imap server and checking for LOGIN=DISABLED string in CAPABILITY description.

SquirrelMail uses plain text logins by default. However, SquirrelMail does support IMAP-SSL in combination with PHP 4.3.x or higher. You can also use stunnel to connect SquirrelMail to an SSL enabled IMAP server as an alternative. Or you can just enable "Secure IMAP (TLS)" in your config if your IMAP server supports TLS.

If you use SSL, your IMAP-SSL server must listen on a different port. Other programs support STARTTLS on the default IMAP port, but SquirrelMail can't do that due to specific limitations of PHP SSL module and SquirrelMail IMAP implementation. You may be able to use the IMAPS port of 993.

Using any of these options will make it so you don't have to rebuild uw-imapd from source or be non-compliant with current IETF security requirements.

http://www.apps.ietf.org/rfc/rfc2192.html

http://www.apps.ietf.org/rfc/rfc2831.html#sec-3.2

In order to enable plain text logins in uw-imapd, you will need to use the semi-official /etc/c-client.cf

See doc/imaprc.txt for further information. You specifically want to:

set disable-plaintext nil

Please remember that you must use specific phrase in first line of /etc/c-client.cf. This phrase does not look like normal option, but uw imap will refuse to parse other options, if this phrase is not present. Correct sentence can be found in uw imap source or imaprc.txt document.

WARNING: uw imap developers discourage usage of /etc/c-client.cf options because plaintext authentication without encryption is in violation of the IETF security requirements.

The rebuild documentation for uw-imapd is here:

http://www.washington.edu/imap/documentation/BUILD.html

OS specific notes

  • Debian Sarge - Plain text logins are not enabled. See bugs [227709], [239537] and [273687]. Create c-client.cf file manually or dpkg-reconfigure uw-imapd, enable IMAPS and set SquirrelMail to use IMAP over SSL or use different IMAP server.
  • FreeBSD - You must recompile cclient and imap-uw packages from ports and set WITHOUT_SSL or WITH_SSL_AND_PLAINTEXT variables. You must remove prepackaged versions of imap-uw and cclient before doing this. If you don't want to recompile - enable plain text login in /etc/c-client.cf.

cd /usr/ports/mail/imap-uw

env WITH_SSL_AND_PLAINTEXT=YES make

If your server already has cclient installed, this approach will not work. You will need to remove your cclient library package before installing the imap-uw package.

Please note, that if your imap server is on the same host as webserver with SquirrelMail, ssl adds security features that are useless. During connection to localhost password information is not transmited over unsafe network. If you want to secure your IMAP server, bind it to localhost address only or use tcpwrappers or firewall to disable external connections.

© 1999-2010 by The SquirrelMail Project Team