The Linux Page

Squirrel Mail: a web based tool

Ubuntu Installation

In the last few days, I've been testing SquirrelMail. It's neat. Really ugly, but neat as it is very small and still quite functional.

To install on Ubuntu, just use apt-get install as in:

apt-get install squirrelmail

The available plugins as of Ubuntu 10.04:

  squirrelmail-compatibility - SquirrelMail plugin: Let other plugins work with older/newer SM versions
  squirrelmail-decode - SquirrelMail support for decoding exotic character sets
  squirrelmail-locales - Translations for the SquirrelMail Webmail package
  squirrelmail-lockout - SquirrelMail plugin: Disallow access to users/domains
  squirrelmail-logger - SquirrelMail plugin: Add logging functionality to your webmail interface
  squirrelmail-quicksave - SquirrelMail plugin: Auto-save messages while composing
  squirrelmail-secure-login - SquirrelMail plugin: Force users to use SSL encrypted connections
  squirrelmail-sent-confirmation - SquirrelMail plugin: display a confimation message after sending mails
  squirrelmail-spam-buttons - SquirrelMail plugin: Place "Spam" buttons on the mailbox message list page
  squirrelmail-viewashtml - SquirrelMail plugin: View mails as HTML
  squirrelmail - Webmail for nuts

I strongly suggest the secure log in if you have a valid SSL certificate and the logger if you have many users.

Personally I use the lockout as talked about below.

Once installed, use the squirrelmail-configure script to change the default settings. Especially, your mail server settings may be different than the defaults (i.e. not be localhost port 25.)

WebServer

The following is a setup example. The <Directory> directive is not required if index.php is one of the default indexes Apache searches for. The 443 port means use SSL. To avoid SSL, use port 80. If you want to allow both, not a problem and with the secure-login a user that typed HTTP in will be redirected to your HTTPS instead.

<VirtualHost *:443>
  DocumentRoot /usr/share/squirrelmail/
  ServerName squirrel.m2osw.com
  <Directory "/usr/share/squirrelmail/">
    DirectoryIndex index.php
  </Directory>

  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl/m2osw.com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/m2osw-com.key
  SSLCertificateChainFile /etc/apache2/ssl/bundle.crt
</VirtualHost>

The SSL instructions will change depending on your SSL certificate provider and some other parameters (i.e. you may need to have an IP address and port instead of "*:443".)

IMPORTANT SECURITY NOTE

If you do not change the server parameters, your local mail server will be accessible with your Unix log in name and password. This may be a security issue if you used a weak password.

Plugins

Once installed, a plugin first needs to be authorized (enabled.) This can be done with the default configuration tool:

squirrelmail-configure

Enter the Plugins area, then search for one you want to install and select it (i.e. enter its number) and hit enter.

Now the plugin is selected and thus usable.

IMPORTANT SECURITY NOTE

The plugin is immediately available. Keep that in mind if you want to change some of its configuration and that is required for security purposes...

SquirrelMail Lockout Plugin

I wanted to install the Lockout plugin to be able to enter just and only a very few users for that system.

It was advertised as such on the SquirrelMail website!

Looking at the settings, it looked pretty straight forward, except for the lockout_table.php... That one describes the settings so you can create a negative table (i.e. block a certain number of individuals) but not the opposite (a positive table letting specific people use the system,) which I use:

$reverseLockout = '##BAD_LOGIN_PAGE##';

In that case, the lockout table entries are the same, except that the redirect information, although still required, is ignored.

So for instance, to accept user John you could write something like this:

user:   john    ignore.com

Note that the domain name after 'john' is required if your mail server requires it. All mail servers do not work that way though. The pattern appearing as the name is an exact match to the name you use to log in.

I also suggest that you remove the PHP comment from that file.