doc/authentication.txt

   1 **********************************************
   2 IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
   3 $Id$
   4 Chris Hilts tassium@squirrelmail.org
   5 **********************************************
   6
   7 Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
   8 supported.  With the release of SquirrelMail 1.3.3, support for the
   9 CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added.  TLS support has
  10 also been added.  It is possible to use different methods for both IMAP and
  11 SMTP. TLS is able to be enabled on a per-service basis as well.
  12 Unless the administrator changes the authentication methods, SquirrelMail
  13 will default to the "classic" plaintext methods, without TLS.
  14
  15 Note: There is no point in using TLS if your IMAP server is localhost. You need
  16 root to sniff the loopback interface, and if you don't trust root, or an attacker
  17 already has root, the game is over.  You've got a lot more to worry about beyond
  18 having the loopback interface sniffed.
  19
  20 REQUIREMENTS
  21 ------------
  22
  23 CRAM/DIGEST-MD5
  24 * SquirrelMail 1.3.3 or higher
  25 * If you have the mhash extension to PHP, it will automatically
  26   be used, which may help performance on heavily loaded servers.
  27   ** NOTE: mhash is optional and no longer a requirement **
  28
  29 TLS
  30 * SquirrelMail 1.3.3 or higher
  31 * PHP 4.3.0 or higher (Check Release Notes for PHP 4.3.x information)
  32 * The "STARTTLS" command is NOT supported.  The server you wish to use TLS
  33   on must have a dedicated port listening for TLS connections. (ie. port
  34   993 for IMAP, 465 for SMTP)
  35 * If you use PHP 4.3.x, OpenSSL support must be compiled staticly. See
  36   PHP bug #29934 (http://bugs.php.net/bug.php?id=29934)
  37
  38 CONFIGURATION
  39 -------------
  40
  41 All configuration is done using conf.pl, under main menu option #2.
  42
  43 conf.pl can now attempt to detect which mechanisms your servers support.
  44 You must have set the host and port before attempting to detect, or you
  45 may get inaccurate results, or a long wait while the connection times out.
  46
  47 If you get results that you know are wrong when you use auto-detection, I
  48 need to know about it. Please send me the results you got, the results you
  49 expected, and server type, name, and version (eg. "imap, Cyrus, v2.1.9").
  50
  51 KNOWN ISSUES
  52 ------------
  53
  54 DIGEST-MD5 has three different methods of operation. (qop options "auth",
  55 "auth-int" and "auth-conf").  This implementation currently supports "auth"
  56 only.  Work is being done to add the other two modes.
  57
  58 DIGEST-MD5 _may_ fail when authenticating with servers that supply more
  59 than one "realm".  I have no servers of this type to test on, so if you do
  60 and it fails, let me know!  (A big help would be for you to telnet to your
  61 server, start a DIGEST-MD5 auth session, and include the challenge from the
  62 server in your bug report.)
  63
  64 To get the challenge with IMAP:
  65    telnet <your server> imap
  66    [server says hello]
  67    A01 AUTHENTICATE DIGEST-MD5
  68    <copy the gobbledygook that the server sends - this is what I need>
  69    *
  70    [server says auth aborted]
  71    A02 LOGOUT
  72    [server says goodbye, closes connection]
  73
  74 To get the challenge with SMTP:
  75    telnet <your server> smtp
  76    [server sends some sort of "hello" banner]
  77    EHLO myhostname
  78    [server will probably list a bunch of capabilities]
  79    AUTH DIGEST-MD5
  80    <copy the gobbledygook that the server sends - this is what I need>
  81    *
  82    [server says auth aborted]
  83    QUIT
  84    [server says bye, closes connection]
  85
  86
  87 OPTIONAL SMTP AUTH CONFIGURATION
  88 --------------------------------
  89
  90 If you need all users to send mail via an upstream SMTP provider
  91 (your ISP, for example), and that ISP requires authentication,
  92 there are two variables that can be added to config_local.php
  93 that will specify a sitewide SMTP username and password.
  94
  95 Set up SMTP authentication to the remote server according to the
  96 instructions above, then add the following to config_local.php,
  97 replacing <smtp_user> and <smtp_pass> with the username and password
  98 you'd like to use for the entire site:
  99
 100    $smtp_sitewide_user = '<smtp_user>';
 101    $smtp_sitewide_pass = '<smtp_pass>';
 102
 103 These values will be used to connect to the SMTP server as long
 104 as the authentication mechanism is something besides 'none', i.e.
 105 'login','plain','cram-md5', or 'digest-md5'.
 106
 107
 108 [End]