We use cookies to ensure you get the best experience on our website
Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
0ct0pu5
/
squirrelmail
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: 7d285b51a0
Haarat Tagit
squirrelmail
/
doc
/
security.txt

security.txt 2.1 KB
Historia Raaka

12345678910111213141516171819202122232425262728293031323334353637383940414243444546 
  1. Securing Your SquirrelMail Setup
    2. 

  2. --------------------------------
    3. 

  3. 

  4. We try to make SquirrelMail as secure as possible, but the security of
    5. 

  5. an install depends on a lot of factors. This file lists some tips to
    6. 

  6. further improve the security of your webmail system.
    7. 

  7. 

  8. - PHP configuration. It's very important to turn register_globals OFF.
    9. 

  9.   The majority of security issues discovered in SquirrelMail in the past
    10. 

  10.   could only be exploited when register_globals was set to on. If you
    11. 

  11.   need register_globals for other web applications, turn it on specifically
    12. 

  12.   for those apps.
    13. 

  13. 

  14. - HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection,
    15. 

  15.   and it's not that hard to set one up.
    16. 

  16. 

  17. - Data dir / attachment dir. Make sure that you've set these up with the
    18. 

  18.   right permissions (only for the webserver user) and that they're outside
    19. 

  19.   of your webserver's document root. See INSTALL for details.
    20. 

  20. 

  21. - IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail,
    22. 

  22.   you can configure SquirrelMail to use an encrypted connection to your
    23. 

  23.   IMAP server. Note that this makes no sense if both are on the same machine.
    24. 

  24.   See doc/authentication.txt for info.
    25. 

  25. 

  26. - config.php. Some options in conf.pl / config.php allow for passwords to
    27. 

  27.   be set in that file, e.g. the addressbook/preferences DSN, and LDAP
    28. 

  28.   addressbooks. When setting a sensitive password, check that config.php
    29. 

  29.   is not readable for untrusted system users, and consider the possibility
    30. 

  30.   of it being read by other users of the same webserver.
    31. 

  31. 

  32. - Subscribe to the squirrelmail-announce mailinglist to be informed about new
    33. 

  33.   releases which may fix security bugs. If you run SquirrelMail packaged by
    34. 

  34.   your distribution, make sure to apply their security upgrades.
    35. 

  35. 

  36. - If you use SELinux, SquirrelMail will not work unless you create a policy
    37. 

  37.   for it. In the SELinux Policy Editor, under HTTPD Service, enable
    38. 

  38.   "allow HTTPD scripts and modules to connect to the network".
    39. 

  39. 

  40. These are only some tips to get you started. A truly secure system needs
    41. 

  41. careful tweaking of all components, including PHP, Apache, mailserver,
    42. 

  42. the underlying OS, which users can login, etc. Searching the web will turn
    43. 

  43. up lots of information.
    44. 

  44. 

  45. 

  46. $Id$
    47.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5