Merge of Steve Brown's patch
[squirrelmail.git] / doc / security.txt
CommitLineData
962a6686 1Securing Your SquirrelMail Setup
2--------------------------------
3
4We try to make SquirrelMail as secure as possible, but the security of
5an install depends on a lot of factors. This file lists some tips to
6further improve the security of your webmail system.
7
8- PHP configuration. It's very important to turn register_globals OFF.
9 The majority of security issues discovered in SquirrelMail in the past
10 could only be exploited when register_globals was set to on. If you
11 need register_globals for other web applications, turn it on specifically
12 for those apps.
13
14- HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection,
15 and it's not that hard to set one up.
16
17- Data dir / attachment dir. Make sure that you've set these up with the
18 right permissions (only for the webserver user) and that they're outside
19 of your webserver's document root. See INSTALL for details.
20
21- IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail,
22 you can configure SquirrelMail to use an encrypted connection to your
23 IMAP server. Note that this makes no sense if both are on the same machine.
24 See doc/authentication.txt for info.
25
26- Subscribe to the squirrelmail-announce mailinglist to be informed about new
27 releases which may fix security bugs. If you run SquirrelMail packaged by
28 your distribution, make sure to apply their security upgrades.
29
30
31These are only some tips to get you started. A truly secure system needs
32careful tweaking of all components, including PHP, Apache, mailserver,
33the underlying OS, which users can login, etc. Searching the web will turn
34up lots of information.
35
36
37$Id$