SquirrelMail  
Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties





Junk Email Filter






Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Installing from an RPM file on Red Hat or Fedora is usually faster and easier than installing from sources. However, it wasn't immediately obvious to me what happenned once I had installed the .rpm on Fedora Core 1. I had no idea where the files went. Hopefully this document will be useful for others and save them some time and the ire of the mailing list.

Download the .rpm file!

Log in as root to install it:\n

rpm -i /path/to/your/file/squirrelmail-1.4.2-1.noarch.rpm

To see what files were installed:\n

rpm -q squirrelmail-1.4.2-1 -l

SquirrelMail is installed in /usr/share/squirrelmail.

Some directories for queuing and attachments are set up in /var/lib.

Config files are in /etc/squirrelmail

A config file for httpd is added to /etc/http/conf.d. This aliases /webmail to the SquirrelMail install directory.

A cron job is set up to purge the attachments directory daily in /etc/cron.daily/squirrelmail.cron.

Run /usr/share/squirrelmail/config/conf.pl.

Make sure the IMAP server settings are correct.

You'll need to restart httpd to load the new config setttings: \n

/etc/init.d/httpd restart

Now that you know where to find the files, go back and read the other install documents.


<Randeep / start:>

Note:

Before installing SquirrelMail on a Red Hat system it is worth checking if it is already there!

On Red Hat 9 (full installation) I found that it was already there. The best way to check is:

type

rpm -qi squirrelmail

If you do find it then to access it (after doing all the config instructions above) type the following into your browser:

www.yourdomain.com/webmail

(note that /etc/httpd/conf.d/squirrelmail.conf sets the alias 'webmail' )

If you find after typing a userid and password you can't log on check the hosts.allow file to ensure that you are providing access to imap. ( /etc/hosts.allow - check for imapd )

<end>


I used SquirrelMail with Red Hat Enterprise Linux V3.0. The RPM was installed by default. Here is what I did to get it working correctly:

1) Ran /usr/share/squirrelmail/config/conf.pl. Left the server settings to localhost.

2) /etc/hosts.allow: imapd: LOCAL (This allows local host to access IMAPD)

3) /etc/hosts.deny: imapd: ALL (Nobody else can access it)

Note: I wanted to prevent people from using unsecured IMAP from their client machines to the server. Instead, they are forced to use the web interface.

Then in the browser I went to https://example.com/webmail and it worked perfectly.


Note that this also prevents people from using imaps. If you want to permit people to use imaps or https and SquirrelMail:

Move:

Alias /webmail /usr/share/squirrelmail

from /etc/httpd/conf.d/squirrelmail.conf

into an HTTPS secured virtual server, e.g. in ssl.conf, and in your iptables configuration permit imaps (993) and https(443), but imap(143) only from 127.0.0.1. E.g.

-A INPUT -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j -A INPUT -i lo -j ACCEPT

Your needs may vary - e.g. you may want imap, imaps, http, or https locally, but only want only imaps or https from the Internet, and so on.

The big problem with using /etc/hosts.allow /etc/hosts.deny is that when you block imapd, you do it for both imap and imaps, even if you only want to block imap.

Wrolf ([email protected])


Actually, you may prefer to use hosts.allow/deny instead of iptables. The keyword imapd doesn't work because it is associated with both ports (in /etc/services or equivalent depending on the distribution). You can however use port numbers in hosts.allow/deny to selectively deny port 143 for imap and allow port 993 for imaps. For the example above:

  • In /etc/hosts.allow:
    • 143: LOCAL
    • 993, 443: ALL
    • Others (http, smtp...)
  • In /etc/host.deny
    • ALL: ALL

This way you don't have to touch iptables.

Paulo


Allowing directory:

After the RPM install, I personnally had to modify the /etc/httpd/conf.d/squirrelmail.conf file so that it would contain:\n

<Directory "/usr/share/squirrelmail">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
Alias /webmail /usr/share/squirrelmail

Then, after restarting httpd with 'service httpd restart' it worked fine.

This is necessary if you have put a directive to prevent all the root directory to be accessed (safer).

Daniel


[CentOS] 4:

It is important to know that on [CentOS] 4 (RHEL4), you need to use the dovecot imapd service and not the cyrus-imapd service in case you are looking for accessing traditional mailboxes (/var/spool/mail).

So you have to disable the Cyrus and enable the dovecot like this:\n

service cyrus-imapd stop
chkconfig cyrus-imapd off

Edit your /etc/dovecot.conf file and just set the protocol you want to be served with this line:\n

protocols = imap imaps pop3 pop3s

And then start Dovecot that way:\n

service dovecot restart
chkconfig dovecot on

Check that the server is on by typing:\n

nmap localhost

You should see the services running.

Daniel


The only thing I had to do to get SquirrelMail working on my vanilla Red Hat 9 after installing the RPM that came with Red Hat 9 was to turn on imapd. By using the "nmap localhost" command I could see that imap was not working, even though it was in my /etc/services file and I was allowing connections to its port (143) in /etc/sysconfig/iptables. There was already the alias /webmail /usr/share/squirrelmail line in the /etc/httpd/conf/httpd.conf file and Apache was already set to run (service httpd start). I did not have to mess with /etc/hosts.allow or /etc/hosts.deny.

The missing piece was that I had to edit the file /etc/xinetd.d/imap and change the line that said disable = yes to disable = no, save the file, then restart xinetd (service xinetd restart). The next time I ran nmap localhost I saw that imap was working.

Then when I next tried to use SquirrelMail (by going to http://localhost/webmail) I was able to log in and everything worked.

I decided to use a secure connection only to SquirrelMail so I moved the alias line from /etc/httpd/conf/httpd.conf to /etc/httpd/conf.d/ssl.conf in the VirtualHost section for port 443, after the DocumentRoot line. I edited the ServerName and ServerAdmin lines in the VirtualHost section to correctly reflect my server's name and my email address, then restarted Apache with "service httpd restart".

Check out the full instructions at http://www.ccl.net/cca/software/UNIX/webmail-on-redhat/README.shtml

I was able to connect to https://localhost/webmail and use only a secure connection. In /etc/sysconfig/iptables I changed the entry for port 443 to allow inbound connection from all IP addresses so I could use this from anywhere.

© 1999-2016 by The SquirrelMail Project Team