[vox-tech] squirrelmail questions

ME dugan at passwall.com
Sat Jul 3 21:39:20 PDT 2004 

Replying to Rod's post to add more comments to a good reply:

Rod Roark said:
> On Saturday 03 July 2004 02:05 pm, p at dirac.org wrote:
>> i don't know the first thing about web mail (or web anything, for that
>> matter).  sorry for brain dead questions in advance.
>>
>> i'm investigating web mail for times where i only have access to
>> microsoft windows, and can't install an ssh client.
>>
>>
>> 1. can squirrelmail live side by side with a "normal" MUA like mutt?  in
>>    other words, can one use mutt when at home and squirrelmail "on the
>>    road"?
>
> SquirrelMail uses IMAP, so as long as you have an IMAP
> server it should be fine.

Also, SquirrelMail permits (through the pop mail plugin) the ability to
also pickup mail from multiple pop accounts.

SquirrelMail also has a GPG plugin which , by default, permits
verification of sender and encryption to others, but by default does NOT
support user decrypting messages sent to them, or signing of messages they
send. (For obvious reasons.)

The security track record for SquirrelMail has been an issue because it is
so intensively hammered. One reason is because many places use it and it
is a big target, and another is because it is used by "many security
minded people."

I use SquirrelMail and have two layers of authentication behind an SSL
server. An HTAUTH is the first layer to deny people access to the php code
and make it difficult to run prepackaged exploits unless they have an
htauth account on my box. Next, I have the second layer of authentication
which is actually provided by the imap server.

SquirrelMail support IMAPS and IMAP but if the server running SquirrelMail
is also running the IMAP server, then you can save CPU cycles and memory
by just running IMAP.

I use SquirrelMail with Courier-imap for many reasons. First the
multi-byte character support is pretty good. Second, because courier imap
support many, many kinds of authentication. I have my courier imap setup
to support its very own authentication in a separate file from all other
authentication tokens in its own directory. This permits me to have one
password for webmail and another for my shell. This makes me feel more
comfortable in using public systems to check my mail. For the most part, I
expect any mail I get in plain-text is or has been read by others. Taking
this into consideration, my only exposure in theft of credentials is a
person deleting mail, or sending mail to someone in my addressbook as "me"
or spamming from my box. All of these are risks which I am willing to take
in using public stations to check mail.

To guard against loss of e-mail, I actually have mail double-delivered to
a maildir *and* to an mbox after spam-processing. This permits me to have
an archive of mail which is not exposed like my webmail. This of course
requires that I periodically purge mbox mail that I have verified
receiving.

>> 2. how is squirrelmail secure?  without https, don't passwords get sent
>>    out via plaintext?
>
> Yeah but nothing is stopping you from using HTTPS.

And SquirrelMail follows the UNIX way very well; it does its thing very
well. If you add https, then encryption is transparent.

>> 3. looking at security focus, it seems like squirrelmail has a horrible
>>    security track record.  yet i see very security minded individuals
>>    using it.  what gives?
>
> Dunno... but in my experience TRULY security-minded people
> are rare.  Most of us think nothing about the fact that our
> paper mail sits in a little unlocked box next to the
> sidewalk for much of the day.  Or what could I learn about
> you by taking the garbage that you leave out on Tuesday
> nights?
>
> I'm pretty sure my unencrypted email is way more secure than
> any of that....

SquirrelMail is secure enough for my purposes. I do not use it to read gpg
encrypted messages or sign messages I send. For this, I still use mutt and
I do not use mutt unless I ssh, and I do not ssh unless it is from a
machine that I trust. (Meaning, I only ssh to my server from machines that
I have installed and control.)

In cases like DefCon and other security conferences I will sometimes
create new imap accounts and triple-split mail to also include this extra
account after spam processing. Then I can use this account, and when I get
back, destroy it.

To make things more interesting for SquirrelMail, I have taken the task of
trying to add some Section508 support to the forms and tables that it
generates. This is a lot of work, but will help people who might have ADA
issues and make it possible for more groups which accept federal funding
to use it.

-ME

More information about the vox-tech mailing list