MBF Knowledge Base

How to Secure the connection to your IMAP server

SquirrelMail provides the option to connect to a remote IMAP server over an encrypted connection: Transport Layer Security (TLS and STARTTLS), or to connect with only encrypted user credentials (CRAM-MD5 and DIGEST-MD5).

Note: There is no advantage in using TLS if your IMAP server is localhost. You need root to sniff the loopback interface, and if you don't trust root, or an attacker already has root, TSL will be useless.

Requirements:

CRAM/DIGEST-MD5 - Digest-MD5 authentication needs PHP XML extension. If you have the mhash extension to PHP, it will automatically be used, which may help performance on heavily loaded
servers.

IMAP server support for these methods...

TLS - PHP 4.3.0 or higher (Check Release Notes for PHP 4.3.x information). The server you wish to use TLS on must have a dedicated port listening for TLS connections (ie. port 993 for IMAP, 465 for SMTP). If you use PHP 4.3.x, OpenSSL support must be compiled staticly.

STARTTLS - Available since SquirrelMail 1.5.1. PHP 5.1.0rc1 or higher(stream_socket_enable_crypto() function) Server with STARTTLS extension support.


Configuration:

All configuration is done using conf.pl, under main menu option #2. conf.pl can now attempt to detect which mechanisms your servers support. You must have set the host and port before attempting to detect, or you may get inaccurate results, or a long wait while the connection times out.


Known Issues:

DIGEST-MD5 has three different methods of operation. (qop options "auth", "auth-int" and "auth-conf"). This implementation currently supports "auth" only. Work is being done to add the other two modes.