• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

COPYINGH A D03-May-200514.8 KiB281237

INSTALLH A D07-May-20081.5 KiB5336

READMEH A D08-May-20088.9 KiB229170

config.sample.phpH A D08-May-20085.8 KiB16214

functions.phpH A D08-May-200812.3 KiB408211

index.phpH A D23-Jan-2007469 202

make_release.shH A D07-May-20085 KiB245101

setup.phpH A D08-May-20082.8 KiB11947

versionH A D08-May-200817 32

README

1Secure Login plugin for SquirrelMail
2====================================
3Ver 1.4, 2008/05/12
4
5
6Copyright (c) 2002 Graham Norbury <gnorbury@bondcar.com>
7Copyright (c) 2002-2008 Paul Lesniewski <paul@squirrelmail.org>
8
9
10Description
11===========
12
13This plugin automatically enables a secure HTTPS/SSL-encrypted
14connection for the SquirrelMail login page if it hasn't already
15been requested by the referring hyperlink or bookmark.
16Optionally, the secure connection can be turned off again after
17successful login.  This utility is intended to prevent passwords
18and email contents being transmitted over the Internet in the
19clear after people browse to the login page without including
20https:// in its address.
21
22
23
24License
25=======
26
27This plugin is released under the GNU General Public
28License (see the file COPYING for details).
29
30
31
32Donations
33=========
34
35If you or your company make regular use of this software, please
36consider supporting Open Source development by donating to the authors
37or inquire about hiring them to consult on other projects.  Donation
38links for the author(s) are as follows:
39
40Paul Lesniewski: https://sourceforge.net/donate/index.php?user_id=508228
41
42
43
44Requirements
45============
46
47  * SquirrelMail version 1.2.8 or above
48
49  * HTTPS/SSL-capable web server with encryption already
50    working on your SquirrelMail installation
51
52
53
54Hosting Multiple Sites With One Certificate
55===========================================
56
57One instance of the Apache web server listening on a single
58IP address can currently only serve up one SSL certificate.
59If you host more than one domain on a single server, you can
60serve this one certificate for all sites (users will get a
61warning about mismatched host names which can be accepted
62by the user), or you can play tricks with URIs, depending on
63how important it is to you not to cause the warning to be
64displayed to users.
65
66One common tactic is to host your secure pages for all hosts
67on top of your main domain (to which the certificate officially
68belongs).  URIs would look like this:
69
70https://www.maindomain.com/www.virtualdomain.com/webmail/src/login.php
71https://www.maindomain.com/webmail/src/login.php?domain=www.virtualdomain.com
72
73This plugin can support such URIs if you use the
74$allVirtualDomainsUnderOneSSLHost configuration setting.  If you
75take this approach, you will need to include an Alias similar to
76the following in the <VirtualHost> directive for the SSL (MAKE
77SURE it's the SSL virtual host directive and *not* the regular,
78non-SSL directive):
79
80Alias /www.virtualdomain.com /var/www/html/maindomain/squirrelmail
81
82You'll want to adjust the path in the Alias to point to your
83SquirrelMail installation, of course.  See config.php.sample
84for more information about configuring this plugin to use such
85URIs.
86
87
88
89Troubleshooting
90===============
91
92Your web server is assumed to be running Apache 1.3.x or 2.x with
93OpenSSL support (or similar).  Before enabling this plugin, you
94should ALREADY be able to browse to your SquirrelMail installation
95by using https://, so if not, please take care of your web server
96configuration before complicating matters with this plugin.
97
98If you turn on $change_back_to_http_after_login under SquirrelMail
991.5.2 and above, you will be unable to log in because by default,
100SquirrelMail 1.5 will only transmit cookies securely if the user's
101session started under https://.  If you really want to revert to an
102unencrypted connection after user login, you need to run the
103SquirrelMail configuration utility and change the "Only secure
104cookies if poss." setting (under "General Options") to "false".
105
106
107
108Help Requests
109=============
110
111Before looking for help elsewhere, please try to help yourself:
112
113  * Read the Troubleshooting section herein.
114
115  * Look to see if others have already asked about the same issue.
116    There are tips and links for the best places to do this in
117    the SquirrelMail mailing list posting guidelines:
118    http://squirrelmail.org/wiki/MailingListPostingGuidelines
119    You should also try Google or some other search engine.
120
121  * If you cannot find any information about your issue, please
122    first mail your help request to the squirrelmail-plugins
123    mailing list.  Information about it can be found here:
124    http://lists.sourceforge.net/mailman/listinfo/squirrelmail-plugins
125    You MUST read the mailing list posting guidelines (see above)
126    and include as much information about your issue (and your
127    system) as possible.  Including configtest output, any debug
128    output, the plugin configuration settings you've made and
129    anything else you can think of to make it easier to diagnose
130    your problem will get you the most useful responses.  Inquiries
131    that do not comply with the posting guidelines are liable to
132    be ignored.
133
134  * If you don't get any replies on the mailing list, you are
135    welcome to send a help request to the authors' personal
136    address(es), but please be patient with the mailing list.
137
138
139
140Change Log
141==========
142
143  v1.4  2008/05/12  Paul Lesniewski <paul@squirrelmail.org>
144    * When using $allVirtualDomainsUnderOneSSLHost and coming back
145      from the signout page or a login error page, the URI was
146      wrongly constructed - fixed thanks to Brett Johnson
147    * Minor bug fixes and updates
148
149  v1.3  2007/01/23  Paul Lesniewski <paul@squirrelmail.org>
150    * Fix for problem with session variables sticking around between logins,
151      such that SSL connection would be forced only every other login.
152    * Updated documentation.
153    * Added configtest hook.
154    * Updated for compatibility with SquirrelMail 1.5.x
155    * Removed specific requirement for Compatibility plugin.
156    * Updated to stop accessing superglobal arrays directly.
157    * Removed configuration file requirement.
158    * Added debug flag.
159    * Added more flexible "multiple domains under one SSL certificate"
160      configuration.
161    * Added more fine-grained controls over URI parsing (not recommended
162      unless default behavior won't work).
163    * NOTE that configuration variable names have changed - please review
164      your config file if upgrading from an earlier release!
165
166  v1.2  2003/07/15  Paul Lesniewski <paul@squirrelmail.org>
167    * Changed plugin logic to detect HTTP and HTTPS connections
168      based on port number instead of environment variables
169      that in some cases may not be provided by the web server
170      (Thanks to Tony Geerts <tgeerts@dyton.com>)
171    * If user comes to login page with a URI that has any
172      GET variables appended to it, they are automatically
173      added to the secure redirection URI (Thanks to Alex
174      Lemaresquier <alex@brainstorm.fr>).
175
176  v1.1  2003/07/12  Paul Lesniewski <paul@squirrelmail.org>
177    * Fix for when going back to HTTP from HTTPS login that
178      would cause javascript errors after sending at least
179      one message - the right frame was getting redirected
180      back to HTTPS.  But not any more.  ;>
181    * This is only a fix applicable for SM 1.4 and up.
182    * Updated for latest version reporting API.
183    * Removed config.php from distribution, replaced with
184      config.php.sample for hassle-free upgrades.
185
186  v1.0  2003/03/03  Paul Lesniewski <paul@squirrelmail.org>
187    * Added compatibility with SquirrelMail v1.4.
188    * New setup.php format for better overall SquirrelMail
189      performance.
190    * In combination with more recent versions of SquirrelMail,
191      (and probably older ones, thanks to the Compatibility plugin)
192      a bug that allowed users to log in without SSL in a browser
193      session that had already logged in once before has been
194      removed.
195
196  v0.7  2003/02/26  Paul Lesniewski <paul@squirrelmail.org>
197    * Added config setting for servers running https or http
198      on non-standard ports.
199
200  v0.6  2002/12/07  Paul Lesniewski <paul@squirrelmail.org>
201    * Sites that host all their virtual domains off of a single
202      SSL URL can now specify that URL in setup.php and users
203      will be redirected as appropriate
204    * PHP version checking fixed (for all locales)
205
206  v0.5  2002/11/05  Paul Lesniewski <paul@squirrelmail.org>
207    * Updated for compatibility with Plugin Updates plugin.
208
209  v0.4  2002/10/07  Paul Lesniewski <paul@squirrelmail.org>
210    * Added flag that allows users who came to the login page
211      using an encrypted connection to stay in an encrypted
212      session (while others only get encryption just for the
213      login, assuming that flag is enabled)
214
215  v0.3  2002/08/14  Paul Lesniewski <paul@squirrelmail.org>
216    * Added functionality that sends user back to a non-encrypted
217      connection after logging in (it may be turned off at will).
218
219  v0.2  2002/01/04  Graham Norbury <gnorbury@bondcar.com>
220    * Eliminated use of SCRIPT_URI server variable which (apparently)
221      is only available when Apache mod_rewrite has been enabled
222    * Added loop counter to prevent endless redirects if for some
223      reason we end up back at the same page without HTTPS being set.
224
225  v0.1  2002/01/03  Graham Norbury <gnorbury@bondcar.com>
226    * Initial version
227
228
229