962a6686 |
1 | Securing Your SquirrelMail Setup |
2 | -------------------------------- |
3 | |
4 | We try to make SquirrelMail as secure as possible, but the security of |
5 | an install depends on a lot of factors. This file lists some tips to |
6 | further improve the security of your webmail system. |
7 | |
8 | - PHP configuration. It's very important to turn register_globals OFF. |
9 | The majority of security issues discovered in SquirrelMail in the past |
10 | could only be exploited when register_globals was set to on. If you |
11 | need register_globals for other web applications, turn it on specifically |
12 | for those apps. |
13 | |
14 | - HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection, |
15 | and it's not that hard to set one up. |
16 | |
17 | - Data dir / attachment dir. Make sure that you've set these up with the |
18 | right permissions (only for the webserver user) and that they're outside |
19 | of your webserver's document root. See INSTALL for details. |
20 | |
21 | - IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail, |
22 | you can configure SquirrelMail to use an encrypted connection to your |
23 | IMAP server. Note that this makes no sense if both are on the same machine. |
24 | See doc/authentication.txt for info. |
25 | |
58d11757 |
26 | - config.php. Some options in conf.pl / config.php allow for passwords to |
27 | be set in that file, e.g. the addressbook/preferences DSN, and LDAP |
28 | addressbooks. When setting a sensitive password, check that config.php |
29 | is not readable for untrusted system users, and consider the possibility |
30 | of it being read by other users of the same webserver. |
31 | |
962a6686 |
32 | - Subscribe to the squirrelmail-announce mailinglist to be informed about new |
33 | releases which may fix security bugs. If you run SquirrelMail packaged by |
34 | your distribution, make sure to apply their security upgrades. |
35 | |
8c538084 |
36 | - If you use SELinux, SquirrelMail will not work unless you create a policy |
37 | for it. In the SELinux Policy Editor, under HTTPD Service, enable |
38 | "allow HTTPD scripts and modules to connect to the network". |
962a6686 |
39 | |
40 | These are only some tips to get you started. A truly secure system needs |
41 | careful tweaking of all components, including PHP, Apache, mailserver, |
42 | the underlying OS, which users can login, etc. Searching the web will turn |
43 | up lots of information. |
44 | |
45 | |
46 | $Id$ |