From 962a6686cb2cb8a74ca598ef555dc50a1b8a2742 Mon Sep 17 00:00:00 2001 From: kink Date: Sun, 4 Dec 2005 00:11:49 +0000 Subject: [PATCH] - Add doc/security.txt with some hints for a more secure installation. Feel free to improve/expand on this. - Add some info to INSTALL about register_globals git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10428 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + INSTALL | 4 ++++ doc/security.txt | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 doc/security.txt diff --git a/ChangeLog b/ChangeLog index a21a6ffc..12205578 100644 --- a/ChangeLog +++ b/ChangeLog @@ -494,6 +494,7 @@ Version 1.5.1 -- CVS - Fixed ContentType object check in Rfc822Header class. E_NOTICE error in PHP 5.1. - Key value being overwritten by reuse of var in filters plugin. + - Add doc/security.txt with some hints for a more secure installation. Version 1.5.0 - 2 February 2004 ------------------------------- diff --git a/INSTALL b/INSTALL index 049f6e67..d7d1457c 100644 --- a/INSTALL +++ b/INSTALL @@ -69,6 +69,10 @@ Each of these steps is covered in detail below. Required for Japanese translation. Optional for translations that use non-ISO-8859-1 charset + It is highly advised to NOT turn on register_globals, as this can lead + to security holes. If you must use register_globals for some applications, + turn it on locally for only those directories, or turn it off for the + SquirrelMail folder. If you want your users to attach files to their mails, make sure File Uploads in php.ini is set to On. diff --git a/doc/security.txt b/doc/security.txt new file mode 100644 index 00000000..3711dcfb --- /dev/null +++ b/doc/security.txt @@ -0,0 +1,37 @@ +Securing Your SquirrelMail Setup +-------------------------------- + +We try to make SquirrelMail as secure as possible, but the security of +an install depends on a lot of factors. This file lists some tips to +further improve the security of your webmail system. + +- PHP configuration. It's very important to turn register_globals OFF. + The majority of security issues discovered in SquirrelMail in the past + could only be exploited when register_globals was set to on. If you + need register_globals for other web applications, turn it on specifically + for those apps. + +- HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection, + and it's not that hard to set one up. + +- Data dir / attachment dir. Make sure that you've set these up with the + right permissions (only for the webserver user) and that they're outside + of your webserver's document root. See INSTALL for details. + +- IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail, + you can configure SquirrelMail to use an encrypted connection to your + IMAP server. Note that this makes no sense if both are on the same machine. + See doc/authentication.txt for info. + +- Subscribe to the squirrelmail-announce mailinglist to be informed about new + releases which may fix security bugs. If you run SquirrelMail packaged by + your distribution, make sure to apply their security upgrades. + + +These are only some tips to get you started. A truly secure system needs +careful tweaking of all components, including PHP, Apache, mailserver, +the underlying OS, which users can login, etc. Searching the web will turn +up lots of information. + + +$Id$ -- 2.25.1