How to use SquirrelMail and Require SSL for IMAP Service?

Hi David,

The links to the posts you list by Jeff and Alex summarize this issue.

Basically, on a normal set-up (where SquirrelMail is on the same server as Cyrus), all SquirrelMail communications with Cyrus are local (on the mail server only). For that reason, you don't need (nor, to my understanding, will SquirrelMail support) TSL in that sense. That is why SquirrelMail failed when you required it.

Unless your SquirrelMail installation is running on a different machine than your Cyrus installation this shouldn't be a problem.

You should set up SSL for the users connecting to Squirrelmail, but that is different than connecting from Squrrelmail to Postfix/Cyrus.

@Joel
I think the OP wants to "require" SSL (not "use"). In that case (although it makes no sense), he must enable TLS in SquirrelMail

@David
My recommendation would be to use, but not require SSL. Using Webmail, it is much more important that the user's browser connnection is secured with SSL, rather than SquirrelMail's IMAP connection wich is usually locall anyway.

However if you must/want/...:

The issue you are seeing is not a SquirrelMail, but a PHP issue. A bug in PHP, prevents the use of the OpenSSL module when built as shared. It must be built as static.

I don't know what your skill level is (no offense meant), so I don't know if you want to go down that road. More info is available here:
http://www.squirrelmail.org/docs/admin/admin-5.html#ss5.4
http://bugs.php.net/bug.php?id=29934
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/72275

If you decide to go down that road, you may want to know what Apple's default PHP configuration looks like. See "Updating PHP on OS X Server" available here: http://osx.topicdesk.com/downloads/


HTH,
Alex

David,

Yet from time to time these same users are in a
circumstance where they need to use webmail, thus
SquirrelMail needs to work. I am not trying to
secure webmail by requiring SSL.

I see, your problem. In this particular case there is a workaround.

Use different ports for postfix and cyrus limited to localhost, thus catering only to SquirrelMail, thus not needing TLS.

Roughly do this (this is just off the top of my head, may contain errors):

For SMTP / Postfix:
Edit /etc/postfix/master.cf
and add:
465 inet n - n - - smtpd
-o smtpd recipientrestrictions= permit_mynetworks,reject
-o mynetworks=127.0.0.1/32
-o smtpd enforcetls=no
# This will create a port 465 (if you use this alreay pick another one. choose the number wisely, depending ony what is in use on your server)
# This port is only accessible to IP number in "mynetworks"


For IMAP / Cyrus
Edit /etc/cyrus.conf and add (below imap):
imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0

Next duplicate /etc/imapd.conf and name it imapd-local.conf
Edit /etc/imapd-local.conf
Change
tls serveroptions: require
to
tls serveroptions: use

Next edit:
/etc/services
and create a port called "imaplocal"
(you could probably recycle 585 wich is deprecated, check what is in the services file, make sure no duplicate port numbers).
should look something like:
imaplocal 585/udp
imaplocal 585/tcp


When done with all config files:
Save & restart mail services

Point SquirrelMail to the new ports wich should only be accessible to localhost (check with an external client if it holds 🙂

Sorry for the "draft style" post, but I don't have much time.

Just ask, if anything isn't clear.

HTH,
Alex

If you permit your server to send mail itself without authenticating, you can simply tell SquirrelMail to use the Sendmail interface rather SMTP.

In the SquirrelMail Configure script, choose 2. for Server Settings, and then Option 3. SMTP or Sendmail and choose sendmail.

jaydisc,

that won't work. If IMAP is set to REQUIRE SSL, you won't be able to log into your account through SquirrelMail, so it doesn't really matter how you configure SMTP.

Alex

Doh. That's what I get for reading so fast. Sorry all.

When I was locking things down, I stopped accepting relayed mail through 25, and required SSL for SMTP on other ports and that was my solution for that.

Doh. That's what I get for reading so fast. Sorry
all.

Happens to me often 🙂

When I was locking things down, I stopped accepting
relayed mail through 25, and required SSL for SMTP on
other ports and that was my solution for that.

Which still doesn't solve the IMAP part 😉 (Just teasing, I know how you meant it 🙂

Hey, albeit a workaround, but how about just blocking ports 110 and 143 to externals?

jaydisc,

still wouldn't work. The ports would be blocked by the firewall, but cyrus would still be reading the same imapd.conf file which is set to require SSL. Thus, SquirrelMail would not work.

Alex

I think this previous thread covers what Jaydisk is referring to...

Topic: Best Practice Mail Authentication not really possible?
http://discussions.apple.com/message.jspa?messageID=1670953

I think this previous thread covers what Jaydisk is
referring to...

Topic: Best Practice Mail Authentication not really
possible?
http://discussions.apple.com/message.jspa?messageID=16
70953

Yes this covers pretty much most scenarions.

The particular situation of the original poster, can however only be solved by additional ports and configuration files for cyrus.

My proposal insinuates that you don't require SSL via configuration, rather through the firewall, and yes, it's only a workaround.

less evasive than recompiling PHP.

So David, which solution did you end up implementing?