| 1 | Securing Your SquirrelMail Setup |
| 2 | -------------------------------- |
| 3 | |
| 4 | We try to make SquirrelMail as secure as possible, but the security of |
| 5 | an install depends on a lot of factors. This file lists some tips to |
| 6 | further improve the security of your webmail system. |
| 7 | |
| 8 | - PHP configuration. It's very important to turn register_globals OFF. |
| 9 | The majority of security issues discovered in SquirrelMail in the past |
| 10 | could only be exploited when register_globals was set to on. If you |
| 11 | need register_globals for other web applications, turn it on specifically |
| 12 | for those apps. |
| 13 | |
| 14 | - HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection, |
| 15 | and it's not that hard to set one up. |
| 16 | |
| 17 | - Data dir / attachment dir. Make sure that you've set these up with the |
| 18 | right permissions (only for the webserver user) and that they're outside |
| 19 | of your webserver's document root. See INSTALL for details. |
| 20 | |
| 21 | - IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail, |
| 22 | you can configure SquirrelMail to use an encrypted connection to your |
| 23 | IMAP server. Note that this makes no sense if both are on the same machine. |
| 24 | See doc/authentication.txt for info. |
| 25 | |
| 26 | - Subscribe to the squirrelmail-announce mailinglist to be informed about new |
| 27 | releases which may fix security bugs. If you run SquirrelMail packaged by |
| 28 | your distribution, make sure to apply their security upgrades. |
| 29 | |
| 30 | |
| 31 | These are only some tips to get you started. A truly secure system needs |
| 32 | careful tweaking of all components, including PHP, Apache, mailserver, |
| 33 | the underlying OS, which users can login, etc. Searching the web will turn |
| 34 | up lots of information. |
| 35 | |
| 36 | |
| 37 | $Id$ |