- Add doc/security.txt with some hints for a more secure installation.

Feel free to improve/expand on this.
- Add some info to INSTALL about register_globals

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10428 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index a21a6ffcb261f2623493a2ea7989c9a361254a8f..122055781c147f985dd7c84eb62c8da7a7821260 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -494,6 +494,7 @@ Version 1.5.1 -- CVS
   - Fixed ContentType object check in Rfc822Header class. E_NOTICE error
     in PHP 5.1.
   - Key value being overwritten by reuse of var in filters plugin.
+  - Add doc/security.txt with some hints for a more secure installation.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------

diff --git a/INSTALL b/INSTALL
index 049f6e67fcc29f71aa061abd23495d71a78117d6..d7d1457c7f79f0a652f0bcc38678da19ea9fc20b 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -69,6 +69,10 @@ Each of these steps is covered in detail below.
     Required for Japanese translation. Optional for translations that
     use non-ISO-8859-1 charset
 
+  It is highly advised to NOT turn on register_globals, as this can lead
+  to security holes. If you must use register_globals for some applications,
+  turn it on locally for only those directories, or turn it off for the
+  SquirrelMail folder.
   If you want your users to attach files to their mails, make sure
   File Uploads in php.ini is set to On.
 

diff --git a/doc/security.txt b/doc/security.txt
new file mode 100644 (file)
index 0000000..3711dcf
--- /dev/null
+++ b/doc/security.txt
@@ -0,0 +1,37 @@
+Securing Your SquirrelMail Setup
+--------------------------------
+
+We try to make SquirrelMail as secure as possible, but the security of
+an install depends on a lot of factors. This file lists some tips to
+further improve the security of your webmail system.
+
+- PHP configuration. It's very important to turn register_globals OFF.
+  The majority of security issues discovered in SquirrelMail in the past
+  could only be exploited when register_globals was set to on. If you
+  need register_globals for other web applications, turn it on specifically
+  for those apps.
+
+- HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection,
+  and it's not that hard to set one up.
+
+- Data dir / attachment dir. Make sure that you've set these up with the
+  right permissions (only for the webserver user) and that they're outside
+  of your webserver's document root. See INSTALL for details.
+
+- IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail,
+  you can configure SquirrelMail to use an encrypted connection to your
+  IMAP server. Note that this makes no sense if both are on the same machine.
+  See doc/authentication.txt for info.
+
+- Subscribe to the squirrelmail-announce mailinglist to be informed about new
+  releases which may fix security bugs. If you run SquirrelMail packaged by
+  your distribution, make sure to apply their security upgrades.
+
+
+These are only some tips to get you started. A truly secure system needs
+careful tweaking of all components, including PHP, Apache, mailserver,
+the underlying OS, which users can login, etc. Searching the web will turn
+up lots of information.
+
+
+$Id$