Secure Login plugin for SquirrelMail ==================================== Ver 1.4, 2008/05/12 Copyright (c) 2002 Graham Norbury <gnorbury@bondcar.com> Copyright (c) 2002-2008 Paul Lesniewski <paul@squirrelmail.org> Description =========== This plugin automatically enables a secure HTTPS/SSL-encrypted connection for the SquirrelMail login page if it hasn't already been requested by the referring hyperlink or bookmark. Optionally, the secure connection can be turned off again after successful login. This utility is intended to prevent passwords and email contents being transmitted over the Internet in the clear after people browse to the login page without including https:// in its address. License ======= This plugin is released under the GNU General Public License (see the file COPYING for details). Donations ========= If you or your company make regular use of this software, please consider supporting Open Source development by donating to the authors or inquire about hiring them to consult on other projects. Donation links for the author(s) are as follows: Paul Lesniewski: https://sourceforge.net/donate/index.php?user_id=508228 Requirements ============ * SquirrelMail version 1.2.8 or above * HTTPS/SSL-capable web server with encryption already working on your SquirrelMail installation Hosting Multiple Sites With One Certificate =========================================== One instance of the Apache web server listening on a single IP address can currently only serve up one SSL certificate. If you host more than one domain on a single server, you can serve this one certificate for all sites (users will get a warning about mismatched host names which can be accepted by the user), or you can play tricks with URIs, depending on how important it is to you not to cause the warning to be displayed to users. One common tactic is to host your secure pages for all hosts on top of your main domain (to which the certificate officially belongs). URIs would look like this: https://www.maindomain.com/www.virtualdomain.com/webmail/src/login.php https://www.maindomain.com/webmail/src/login.php?domain=www.virtualdomain.com This plugin can support such URIs if you use the $allVirtualDomainsUnderOneSSLHost configuration setting. If you take this approach, you will need to include an Alias similar to the following in the <VirtualHost> directive for the SSL (MAKE SURE it's the SSL virtual host directive and *not* the regular, non-SSL directive): Alias /www.virtualdomain.com /var/www/html/maindomain/squirrelmail You'll want to adjust the path in the Alias to point to your SquirrelMail installation, of course. See config.php.sample for more information about configuring this plugin to use such URIs. Troubleshooting =============== Your web server is assumed to be running Apache 1.3.x or 2.x with OpenSSL support (or similar). Before enabling this plugin, you should ALREADY be able to browse to your SquirrelMail installation by using https://, so if not, please take care of your web server configuration before complicating matters with this plugin. If you turn on $change_back_to_http_after_login under SquirrelMail 1.5.2 and above, you will be unable to log in because by default, SquirrelMail 1.5 will only transmit cookies securely if the user's session started under https://. If you really want to revert to an unencrypted connection after user login, you need to run the SquirrelMail configuration utility and change the "Only secure cookies if poss." setting (under "General Options") to "false". Help Requests ============= Before looking for help elsewhere, please try to help yourself: * Read the Troubleshooting section herein. * Look to see if others have already asked about the same issue. There are tips and links for the best places to do this in the SquirrelMail mailing list posting guidelines: http://squirrelmail.org/wiki/MailingListPostingGuidelines You should also try Google or some other search engine. * If you cannot find any information about your issue, please first mail your help request to the squirrelmail-plugins mailing list. Information about it can be found here: http://lists.sourceforge.net/mailman/listinfo/squirrelmail-plugins You MUST read the mailing list posting guidelines (see above) and include as much information about your issue (and your system) as possible. Including configtest output, any debug output, the plugin configuration settings you've made and anything else you can think of to make it easier to diagnose your problem will get you the most useful responses. Inquiries that do not comply with the posting guidelines are liable to be ignored. * If you don't get any replies on the mailing list, you are welcome to send a help request to the authors' personal address(es), but please be patient with the mailing list. Change Log ========== v1.4 2008/05/12 Paul Lesniewski <paul@squirrelmail.org> * When using $allVirtualDomainsUnderOneSSLHost and coming back from the signout page or a login error page, the URI was wrongly constructed - fixed thanks to Brett Johnson * Minor bug fixes and updates v1.3 2007/01/23 Paul Lesniewski <paul@squirrelmail.org> * Fix for problem with session variables sticking around between logins, such that SSL connection would be forced only every other login. * Updated documentation. * Added configtest hook. * Updated for compatibility with SquirrelMail 1.5.x * Removed specific requirement for Compatibility plugin. * Updated to stop accessing superglobal arrays directly. * Removed configuration file requirement. * Added debug flag. * Added more flexible "multiple domains under one SSL certificate" configuration. * Added more fine-grained controls over URI parsing (not recommended unless default behavior won't work). * NOTE that configuration variable names have changed - please review your config file if upgrading from an earlier release! v1.2 2003/07/15 Paul Lesniewski <paul@squirrelmail.org> * Changed plugin logic to detect HTTP and HTTPS connections based on port number instead of environment variables that in some cases may not be provided by the web server (Thanks to Tony Geerts <tgeerts@dyton.com>) * If user comes to login page with a URI that has any GET variables appended to it, they are automatically added to the secure redirection URI (Thanks to Alex Lemaresquier <alex@brainstorm.fr>). v1.1 2003/07/12 Paul Lesniewski <paul@squirrelmail.org> * Fix for when going back to HTTP from HTTPS login that would cause javascript errors after sending at least one message - the right frame was getting redirected back to HTTPS. But not any more. ;> * This is only a fix applicable for SM 1.4 and up. * Updated for latest version reporting API. * Removed config.php from distribution, replaced with config.php.sample for hassle-free upgrades. v1.0 2003/03/03 Paul Lesniewski <paul@squirrelmail.org> * Added compatibility with SquirrelMail v1.4. * New setup.php format for better overall SquirrelMail performance. * In combination with more recent versions of SquirrelMail, (and probably older ones, thanks to the Compatibility plugin) a bug that allowed users to log in without SSL in a browser session that had already logged in once before has been removed. v0.7 2003/02/26 Paul Lesniewski <paul@squirrelmail.org> * Added config setting for servers running https or http on non-standard ports. v0.6 2002/12/07 Paul Lesniewski <paul@squirrelmail.org> * Sites that host all their virtual domains off of a single SSL URL can now specify that URL in setup.php and users will be redirected as appropriate * PHP version checking fixed (for all locales) v0.5 2002/11/05 Paul Lesniewski <paul@squirrelmail.org> * Updated for compatibility with Plugin Updates plugin. v0.4 2002/10/07 Paul Lesniewski <paul@squirrelmail.org> * Added flag that allows users who came to the login page using an encrypted connection to stay in an encrypted session (while others only get encryption just for the login, assuming that flag is enabled) v0.3 2002/08/14 Paul Lesniewski <paul@squirrelmail.org> * Added functionality that sends user back to a non-encrypted connection after logging in (it may be turned off at will). v0.2 2002/01/04 Graham Norbury <gnorbury@bondcar.com> * Eliminated use of SCRIPT_URI server variable which (apparently) is only available when Apache mod_rewrite has been enabled * Added loop counter to prevent endless redirects if for some reason we end up back at the same page without HTTPS being set. v0.1 2002/01/03 Graham Norbury <gnorbury@bondcar.com> * Initial version