>> You haven't provided enough details. >> >> Do you use SSL encrypted HTTP connection? Is connection encrypted in >> browser? What security algorithm are supported by browser? >> > Ok, I used https and a certificate was installed. However, do I need > https even if SquirrelMail is using the OpenSSL module? And when I ran > configtest.php, I came across the following message: > ERROR: You have enabled TLS encryption in the config, but the server does > not report STARTTLS capability. TLS is probably not supported.
SquirrelMail uses PHP OpenSSL extension in secure IMAP and SMTP connections. PHP OpenSSL extension does not secure http traffic coming to your server. In webmail interfaces user and password information is transfered in two places: 1. Using HTTP protocol from browser to webserver. In order to secure it, you need SSL enabled webserver. If webserver uses strong encryption, you might have to update browser or crypto libraries on client machine. older OSes and Netscape browser versions haven't included strong crypto due to USA export regulations. 2. Using IMAP protocol from webserver to imap server. Authentication can be secured with STARTTLS, CRAM-MD5, IMAPS and some other authentication protocols. STARTTLS allows to start TLS encryption in existing plain text connection. SquirrelMail does not support STARTTLS. CRAM-MD5 uses special challenge/response protocol (rfc 2195). SquirrelMail supports it, but you must store plaintext password on imap server in order to use it. IMAPS is IMAP service secured by SSL layer. In order to use it you must change IMAP port _and_ Secure IMAP settings in SquirrelMail IMAP configuration. Currently these settings don't depend on each other. You can create invalid configuration with IMAP port set to 143 and Secure IMAP enabled. Please note that when IMAP server is on the same host as web server, you are trying to secure local connection. Password is not transfered over insecure network. If some badguy is sniffing local interface, you should take your compromised server offline. Only admin user can sniff local interface. Other possible security issues - authenticated smtp and pop-before-smtp connections, database connections in db based setup, http/ftp/ldap/poppass/sql connections in change password and vacation plugins, authenticated ldap address book connections, pop3 connections in mail_fetch plugin, other network connections initiated by third party plugins. Think. Draw a diagram that shows all webmail components and find the ones that are vulnerable. -- Tomas ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
