MBF Knowledge Base

Securing SquirrelMail with SSL

SquirrelMail interface consists of dynamically generated HTML pages. These pages are transfered to user's browser using HTTP protocol. HTTP protocol does not have any built-in encryption functions. Information is transfered in plain text. HTTP traffic contains login passwords and any information viewed or entered in browser.

If you want to secure web traffic, you should use HTTP protocol with SSL encryption. Check your web server documentation about SSL support.

If you have SquirrelMail install in unsecured HTTP and secured HTTPS servers, SquirrelMail secure_login and show_ssl_link plugins can be used to warn users about insecure connections and/or provide automatic redirection to a secured server.

In the Apache web server, redirection can be implemented with Redirect directives and the mod_rewrite module. For example:

# Redirect /squirrelmail link to secured server
Redirect permanent /squirrelmail https://secured.example.org/squirrelmail

# simple mod_rewrite example
<Location /squirrelmail>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]

HTTP over SSL communications prevent "man in the middle" attacks between user's machine and webmail server. SSL encryption makes it difficult to sniff web traffic. Use of signed SSL certificates might prevent hostname spoofing attacks.