Carl's notes

Following on from my previous post about securing Squirrelmail, I found that WordPress can be forced to use https for login and admin tasks quite easily. Just edit your wp-config.php file and add define('FORCE_SSL_LOGIN', true); or define('FORCE_SSL_ADMIN', true); somewhere before the warning at the end of the file. The former option will just use https to transmit your login details. The latter will force all access to the admin pages to be secured. According to the WordPress documentation, https can be slow, that’s why you might not want it to be enabled for the whole session.

Recently noticed that my e-mail account provided my the French post office provides absolutely no security for either IMAP or webmail connections. The webmail doesn’t even seem to support https if you type it into the address bar. This is bad news because it means I can’t access it from public networks without my login and password being sent in clear text over the net.

Then I noticed that my Squirrelmail setup doesn’t force https for login, although you can still request it by typing in the address manually. I failed to configure Apache to rewrite URLs to https. There’s is always some subtlety in rewrite rules and Apache configuration in general that stops things from working the way I want first time. But Squirrelmail has a plugin called Secure Login which allows you to force secure https starting at the login page.

Download the tar.gz archive to your Squirrelmail plugin directory, probably in /usr/share/squirrelmail/plugins/. Unpack it. Copy config.sample.php to config.php within the secure_login folder. Set the $change_back_to_http_after_login variable to 0 so your sessions remain in https. I don’t know why you would want to set it to 1 unless you have serious performance issues on a very underpowered server. In any case, if it’s set to 1 you won’t be able to login at all. Don’t forget to run the Squirrelmail Perl configuration script /etc/squirrelmail/conf.pl to enable the new plugin.