README
1Secure Login plugin for SquirrelMail
2====================================
3Ver 1.4, 2008/05/12
4
5
6Copyright (c) 2002 Graham Norbury <gnorbury@bondcar.com>
7Copyright (c) 2002-2008 Paul Lesniewski <paul@squirrelmail.org>
8
9
10Description
11===========
12
13This plugin automatically enables a secure HTTPS/SSL-encrypted
14connection for the SquirrelMail login page if it hasn't already
15been requested by the referring hyperlink or bookmark.
16Optionally, the secure connection can be turned off again after
17successful login. This utility is intended to prevent passwords
18and email contents being transmitted over the Internet in the
19clear after people browse to the login page without including
20https:// in its address.
21
22
23
24License
25=======
26
27This plugin is released under the GNU General Public
28License (see the file COPYING for details).
29
30
31
32Donations
33=========
34
35If you or your company make regular use of this software, please
36consider supporting Open Source development by donating to the authors
37or inquire about hiring them to consult on other projects. Donation
38links for the author(s) are as follows:
39
40Paul Lesniewski: https://sourceforge.net/donate/index.php?user_id=508228
41
42
43
44Requirements
45============
46
47 * SquirrelMail version 1.2.8 or above
48
49 * HTTPS/SSL-capable web server with encryption already
50 working on your SquirrelMail installation
51
52
53
54Hosting Multiple Sites With One Certificate
55===========================================
56
57One instance of the Apache web server listening on a single
58IP address can currently only serve up one SSL certificate.
59If you host more than one domain on a single server, you can
60serve this one certificate for all sites (users will get a
61warning about mismatched host names which can be accepted
62by the user), or you can play tricks with URIs, depending on
63how important it is to you not to cause the warning to be
64displayed to users.
65
66One common tactic is to host your secure pages for all hosts
67on top of your main domain (to which the certificate officially
68belongs). URIs would look like this:
69
70https://www.maindomain.com/www.virtualdomain.com/webmail/src/login.php
71https://www.maindomain.com/webmail/src/login.php?domain=www.virtualdomain.com
72
73This plugin can support such URIs if you use the
74$allVirtualDomainsUnderOneSSLHost configuration setting. If you
75take this approach, you will need to include an Alias similar to
76the following in the <VirtualHost> directive for the SSL (MAKE
77SURE it's the SSL virtual host directive and *not* the regular,
78non-SSL directive):
79
80Alias /www.virtualdomain.com /var/www/html/maindomain/squirrelmail
81
82You'll want to adjust the path in the Alias to point to your
83SquirrelMail installation, of course. See config.php.sample
84for more information about configuring this plugin to use such
85URIs.
86
87
88
89Troubleshooting
90===============
91
92Your web server is assumed to be running Apache 1.3.x or 2.x with
93OpenSSL support (or similar). Before enabling this plugin, you
94should ALREADY be able to browse to your SquirrelMail installation
95by using https://, so if not, please take care of your web server
96configuration before complicating matters with this plugin.
97
98If you turn on $change_back_to_http_after_login under SquirrelMail
991.5.2 and above, you will be unable to log in because by default,
100SquirrelMail 1.5 will only transmit cookies securely if the user's
101session started under https://. If you really want to revert to an
102unencrypted connection after user login, you need to run the
103SquirrelMail configuration utility and change the "Only secure
104cookies if poss." setting (under "General Options") to "false".
105
106
107
108Help Requests
109=============
110
111Before looking for help elsewhere, please try to help yourself:
112
113 * Read the Troubleshooting section herein.
114
115 * Look to see if others have already asked about the same issue.
116 There are tips and links for the best places to do this in
117 the SquirrelMail mailing list posting guidelines:
118 http://squirrelmail.org/wiki/MailingListPostingGuidelines
119 You should also try Google or some other search engine.
120
121 * If you cannot find any information about your issue, please
122 first mail your help request to the squirrelmail-plugins
123 mailing list. Information about it can be found here:
124 http://lists.sourceforge.net/mailman/listinfo/squirrelmail-plugins
125 You MUST read the mailing list posting guidelines (see above)
126 and include as much information about your issue (and your
127 system) as possible. Including configtest output, any debug
128 output, the plugin configuration settings you've made and
129 anything else you can think of to make it easier to diagnose
130 your problem will get you the most useful responses. Inquiries
131 that do not comply with the posting guidelines are liable to
132 be ignored.
133
134 * If you don't get any replies on the mailing list, you are
135 welcome to send a help request to the authors' personal
136 address(es), but please be patient with the mailing list.
137
138
139
140Change Log
141==========
142
143 v1.4 2008/05/12 Paul Lesniewski <paul@squirrelmail.org>
144 * When using $allVirtualDomainsUnderOneSSLHost and coming back
145 from the signout page or a login error page, the URI was
146 wrongly constructed - fixed thanks to Brett Johnson
147 * Minor bug fixes and updates
148
149 v1.3 2007/01/23 Paul Lesniewski <paul@squirrelmail.org>
150 * Fix for problem with session variables sticking around between logins,
151 such that SSL connection would be forced only every other login.
152 * Updated documentation.
153 * Added configtest hook.
154 * Updated for compatibility with SquirrelMail 1.5.x
155 * Removed specific requirement for Compatibility plugin.
156 * Updated to stop accessing superglobal arrays directly.
157 * Removed configuration file requirement.
158 * Added debug flag.
159 * Added more flexible "multiple domains under one SSL certificate"
160 configuration.
161 * Added more fine-grained controls over URI parsing (not recommended
162 unless default behavior won't work).
163 * NOTE that configuration variable names have changed - please review
164 your config file if upgrading from an earlier release!
165
166 v1.2 2003/07/15 Paul Lesniewski <paul@squirrelmail.org>
167 * Changed plugin logic to detect HTTP and HTTPS connections
168 based on port number instead of environment variables
169 that in some cases may not be provided by the web server
170 (Thanks to Tony Geerts <tgeerts@dyton.com>)
171 * If user comes to login page with a URI that has any
172 GET variables appended to it, they are automatically
173 added to the secure redirection URI (Thanks to Alex
174 Lemaresquier <alex@brainstorm.fr>).
175
176 v1.1 2003/07/12 Paul Lesniewski <paul@squirrelmail.org>
177 * Fix for when going back to HTTP from HTTPS login that
178 would cause javascript errors after sending at least
179 one message - the right frame was getting redirected
180 back to HTTPS. But not any more. ;>
181 * This is only a fix applicable for SM 1.4 and up.
182 * Updated for latest version reporting API.
183 * Removed config.php from distribution, replaced with
184 config.php.sample for hassle-free upgrades.
185
186 v1.0 2003/03/03 Paul Lesniewski <paul@squirrelmail.org>
187 * Added compatibility with SquirrelMail v1.4.
188 * New setup.php format for better overall SquirrelMail
189 performance.
190 * In combination with more recent versions of SquirrelMail,
191 (and probably older ones, thanks to the Compatibility plugin)
192 a bug that allowed users to log in without SSL in a browser
193 session that had already logged in once before has been
194 removed.
195
196 v0.7 2003/02/26 Paul Lesniewski <paul@squirrelmail.org>
197 * Added config setting for servers running https or http
198 on non-standard ports.
199
200 v0.6 2002/12/07 Paul Lesniewski <paul@squirrelmail.org>
201 * Sites that host all their virtual domains off of a single
202 SSL URL can now specify that URL in setup.php and users
203 will be redirected as appropriate
204 * PHP version checking fixed (for all locales)
205
206 v0.5 2002/11/05 Paul Lesniewski <paul@squirrelmail.org>
207 * Updated for compatibility with Plugin Updates plugin.
208
209 v0.4 2002/10/07 Paul Lesniewski <paul@squirrelmail.org>
210 * Added flag that allows users who came to the login page
211 using an encrypted connection to stay in an encrypted
212 session (while others only get encryption just for the
213 login, assuming that flag is enabled)
214
215 v0.3 2002/08/14 Paul Lesniewski <paul@squirrelmail.org>
216 * Added functionality that sends user back to a non-encrypted
217 connection after logging in (it may be turned off at will).
218
219 v0.2 2002/01/04 Graham Norbury <gnorbury@bondcar.com>
220 * Eliminated use of SCRIPT_URI server variable which (apparently)
221 is only available when Apache mod_rewrite has been enabled
222 * Added loop counter to prevent endless redirects if for some
223 reason we end up back at the same page without HTTPS being set.
224
225 v0.1 2002/01/03 Graham Norbury <gnorbury@bondcar.com>
226 * Initial version
227
228
229