[SATLUG] Securing Squirrelmail
Channing
Channing.ML at ChanningC.com
Tue May 15 22:45:47 CDT 2007
Luis Garza wrote:
> I was lurking at the squirrelmail mail list and reading about securing
> it.
>
> I noticed that when I do log into my mail server, it is done via
> http:// on port 80.
> I noticed that it was not secured.
>
> I installed wireshark and monitored my traffic.
> I noticed that my username and password was sent in clear ascii text.
>
> As I kept monitoring and also noticed that when ever it would check mail,
> it would send the username and password again in clear ascii text.
>
> So anyone monitoring a mailservers traffic can get anybodies username
> and password.
>
> I am wondering ... why isn't this installed on port 443 by default???
>
> Are there any other ways for securing the login process for squirrelmail?
>
Hi Luis,
Here's what I've implemented in the past to ensure the session only
communicates over a secure connection. In setting this up, I came to
realize there were a few different ways to get to the end goal of
ensuring SSL only, so you may find another person's suggestions more to
your liking.
<DirectoryMatch ".+webmail.+">
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://example.com/webmail [R,L]
</DirectoryMatch>
HTH,
Channing
--
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
More information about the SATLUG
mailing list