Skip navigation
This discussion is archived

Only webmail SSL

3963 Views 19 Replies Latest reply: Jun 6, 2008 1:53 PM by Andy Fragen RSS
1 2 Previous Next
Andy Fragen Calculating status...
Currently Being Moderated
May 20, 2008 1:41 PM
Here's what I'm trying to do.

I'd like to make it so my webmail using SquirrelMail runs over SSL, but that the rest of the domain's directories are not encrypted.

So far I've been able to accomplish this by creating a second nearly identical site under Server Admin > Web > Sites and making the second site use SSL and point it's web server alias to example.com/webmail. This seems to work as I can access other parts of the site using http and webmail only using https.

Here's my question. First, I'm not sure if this is the correct way of setting this up but it seems to work. More importantly, I'd like to make it so I get URL rewriting from 'http://example.com/webmail' to 'https://example.com/webmail'

I've tried most things I can think of but I just can't seem to get this to work. Any ideas?
Mac OS X (10.5.2)
  • jaydisc Level 4 Level 4 (1,400 points)
    Currently Being Moderated
    May 20, 2008 8:11 PM (in response to Andy Fragen)
    OK,

    On the SSL site, you of course have Webmail enabled. On the Non-SSL site, it should NOT be enabled.

    On the Non-SSL site, you should setup a RedirectMatch under Aliases and Redirects as follows:

    Pattern: /webmail(.*)
    Path: https://example.com/webmail$1

    The (.*) and the $1 means that if they typed anything AFTER webmail that will remain on the URL when redirected to https.

    Now, what do you want to happen when the user navigates to a non=webmail part of the site over ssl? Do you want it to rewrite them back to http or is this enough?

    EDIT: i accidentally hit the post message too soon.
  • jaydisc Level 4 Level 4 (1,400 points)
    Currently Being Moderated
    May 20, 2008 9:45 PM (in response to Andy Fragen)
    Hmmm...

    I did some testing to see if I could accomplish this in Server Admin, but no luck. I can't seem to get a RedirectMatch rule to accept the NOT operator which is the exclamation point.

    SO, you'll have to delve into the virtual host config file in /etc/apache/sites/yourSSLconfigfile

    In there, you'll see an IF statement checking to see if mod_rewrite is active. I've inserted the middle two lines inside that as follows:

    <IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{REQUEST_URI} !^/webmail
    RewriteRule (.*) http://example.com$1

    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    </IfModule>


    You might find that you need to exclude other directories or paths too. Just add those as additional RewriteConditions, e.g.

    <IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{REQUEST_URI} !^/webmail
    RewriteCond %{REQUEST_URI} !^/calendar
    RewriteCond %{REQUEST_URI} !^/secure
    RewriteRule (.*) http://example.com$1

    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    </IfModule>


    EDIT: If preferred this can be accomplished using .htaccess files instead of config files, but you must allow overrides in the virtual host settings to permit the use of .htaccess files

    Message was edited by: jaydisc
  • D Little Calculating status...
    Currently Being Moderated
    May 21, 2008 1:05 AM (in response to Andy Fragen)
    I was able to split my site this way:

    1. Main site non-SSL setup as "http://example.com" with redirect for "/webmail" to "https://webmail.example.com". I have webmail support selected for this site, but I do not think it is necessary (I've been meaning to test that theory though).

    2. Webmail site with SSL setup as "https://webmail.example.com" with its directory pointing to "/usr/share/squirrelmail/src" without webmail support selected for that site.

    It worked for me under 10.4 and now with 10.5.
    MacbookPro / OS X Server 10.5.2, Mac OS X (10.5.2), OS X / Linux / Windows Network
  • jaydisc Level 4 Level 4 (1,400 points)
    Currently Being Moderated
    May 21, 2008 1:28 AM (in response to D Little)
    That's a great idea.

    You're right that you don't need the webmail support for the first site. As a matter of fact, it conflicts with the redirect. Luckily in your case, the redirect takes precedence.
  • D Little Level 1 Level 1 (10 points)
    Currently Being Moderated
    May 21, 2008 12:14 PM (in response to Andy Fragen)
    Ah, sorry. I forgot to add that you need to put an entry for webmail in DNS:

    webmail IN CNAME yourservername

    Then restart DNS. (I don't use Server Admin to do this as I have found it tends to do odd things to the files).

    That should make it work. I'm not sure if it works with virtual domains though. I host other websites, but only email for one domain.
    Macbook Pro / OS X Server 10.5, Mac OS X (10.5.2), OS X / Linux / Windows Network
  • D Little Level 1 Level 1 (10 points)
    Currently Being Moderated
    May 21, 2008 3:01 PM (in response to Andy Fragen)
    I just checked my configuration. For default index files I have not only index.html and index.php but login.php. Squirrelmail goes directly for the login.php in the source directory. Also, I just noticed from past notes that I've used both "/usr/share/squirrelmail/" and "/usr/share/squirrelmail/src/" at various times. Both should work though.

    Last, I realized from my notes that I had this set up a few years ago with a vitual domain being hosted for email, so it should be good for that too.
    Macbook Pro / OS X Server 10.5, Mac OS X (10.5.2), OS X / Linux / Windows Network
  • D Little Level 1 Level 1 (10 points)
    Currently Being Moderated
    May 21, 2008 4:57 PM (in response to Andy Fragen)
    That's a good question. If the user goes to yourdomain.com/webmail he will be redirected properly to https, but if he directly inputs http://webmail.yourdomain.com he should just hang.

    I don't know that in OS X you can do that through SysAdmin. There are several solutions posted on the web. Search "httpd.conf redirect https" to see what suits you best. They all seem to need direct editing of either the httpd.conf or htaccess files. Either way, it should be doable.
    Macbook Pro / OS X Server 10.5, Mac OS X (10.5.2), OS X / Linux / Windows Network
  • jaydisc Level 4 Level 4 (1,400 points)
    Currently Being Moderated
    May 21, 2008 5:14 PM (in response to D Little)
    We sort of have to integrate the two solutions.

    Site 1: www.domain.com - normal website, only http

    Site 2: webmail.domain.com - SSL website - configured as discussed. i.e. /usr/share/squirrelmail/etc

    Site 3: webmail.domain.com- normal HTTP - source directory irrelevant as it has the following RedirectMatch catching and passing everything:

    Pattern: (.*)
    Path: https://webmail.domain.com$1


    Voila!

    Message was edited by: jaydisc
  • D Little Level 1 Level 1 (10 points)
    Currently Being Moderated
    May 21, 2008 5:34 PM (in response to jaydisc)
    Very nice. Thanks.
    Macbook Pro / OS X Server 10.5, Mac OS X (10.5.2), OS X / Linux / Windows Network
1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.