Installing squirrelmail on RedHat Linux RH9.
The squirrelmail comes with the Redhat 9 distribution. It is a collection
of PHP scripts which can work under Apache Web Server and allow you to read
your mail via Web interface. It asks for your user id (Linux user id) and
user password and then operates on your mailbox using imap.
There are several open source solutions for Linux to read e-mail via
Web. Some may be even better (though squirrelmail is great), but my choice
of squirrelmail was mainly driven by the fact that it comes with RedHat Linux,
and you do not have to compile, install, etc... It is done...
Why use "webmail" type solutions rather than a Mail facility of most
advanced browsers (which can directly connect to the secure IMAP server
on your mail gate)? My reasons are listed below:
i) Setting up browser Mail and Newsgroups facility takes some time.
If you want to read your mail from different computers (e.g., on
the road in Internet cafes) you would need to set-up the mail
account (or profile) in each browser, before you can access your
mailbox and mail gateway. While it not complicated, it is really
not an option if you want to quickly (and occasionally) use friend's
computer to check your mail. You would probably mess up his/her setup,
and it would take you at least 5 minutes to click on all necessary
menu items and enter required hostnames and ports provided that you
know what you are doing... Squirrelmail does not require
any modification or setup changes for your browser. You access it like
a regular Web page. It requires, however, that you have cookies and
JavaScript enabled in the browser, which in fact is a standard situation.
ii) Another problem is that IMAP port (secure or unsecure) is usually
blocked by firewalls, while access to Web server is not.
Oh well... Companies which run VPN often, block HTTPS access
(and other encrypted protocols) to non-company computers, since
they want to read/monitor what you write/send]. Opening IMAP
port on a firewall to general public is a policy decision.
This would have to be done in this case, though. Even if you
only want to read mail from home, your home computer is probably
assigned a dynamic IP address via DHCP protocol, and you cannot
know its address in advance.
iii) Moreover, to be able to send mail from the browser via your mail
gateway, you need to allow mail relaying from browser machine in your
mail gateway. If you wanted to allow unrestricted access from any
browser, you would need to allow all computers to relay through you
mail gateway, which is not acceptable (you would end up relaying
spam for spammers). While there are ways around it, they are
not necessarily easy to implement.
By using webmail type interface like squirrelmail, you avoid these problems.
You browser is only a USER INTERFACE, while the web server machine is the
one which communicates with IMAP and sendmail program. You only need to
authorize a single machine to connect to IMAP and relay sendmail. In fact,
if your web server and mail gateway is on the same subnet, they are most
likely already authorized to talk to each other.
There are a few things to keep in mind:
- squirrelmail does not support imaps (i.e., secure, SSL based,
Internet Message Access Protocol with SSL), to my knowledge.
Y also ou have to use HTTPS protocol to communicate between
Web browser and Web server since you are sending your user Id and
Password over the net, and it better be encrypted. Also, the IMAP
server has to be protected against access from outside. While in my case,
the port 143 is blocked on my firewall, I will still use access
control built into xinetd to restrict IMAP access only to the
localhost/127.0.0.1 (i.e., intracomputer TCP connection).
- you should not really use squirrelmail and other mail client (say
pine) at the same time, since pine, for example, moves your system
mailbox (i.e., mailbox located in /var/spool/mail/your_user_name) to
your home directory (as mbox). The imap will not see it there.
There are probably many ways around it, like creating links
(Squirrelmail will allow you to create folders and will look under
/home/yourname/mbox, so you can create links), but I did not study
the matter. The same is true with accessing e-mail via Mozilla
mail/newsgroup utility and IMAPS (secure IMAP on port 993). It
results in different locations of folders like Send, Draft, Trash, etc.
Again, you need probably to make links or play with config files,
e.g., edit the /usr/share/squirrelmail/config/config_default.php
or files xxx.pref in /var/lib/squirrelmail/prefs/ directory for
individual users.
Installation/configuration if Apache and sendmail are on the same machine
=========================================================================
1) Check what is installed:
rpm -qa squirrelmail (in my case: squirrelmail-1.2.11-1)
rpm -qa imap (imap-2001a-18)
rpm -qa httpd (httpd-2.0.40-21.3)
I made updates to the system in late August using apt - rpm
(to read more on how to install apt - rpm, check my write-up:
http://www.ccl.net/cca/software/UNIX/updating-redhat/).
I assume that you have a clean installation (i.e., not an upgrade
from previous RH Linuces) and full installation (Custom/Install Everything)
of RedHat 9, and that the patches/updates were applied. If not,
some things may not work... If you have some earlier packages,
please install updates. If you do not have these packages,
go to the http://www.redhat.com/mirrors.html web page, and
retrieve them from the ...redhat/linux/9/en/os/i386/RedHat/RPMS directory,
namely:
squirrelmail-1.2.11-1
imap-devel-2001a-18
php-imap-4.2.2-17
imap-2001a-18
httpd-2.0.40-21.3
redhat-config-httpd-1.0.1-18
httpd-devel-2.0.40-21.3
httpd-manual-2.0.40-21.3
And then install them asL
rpm -Uhv package-name*.rpm
where package-name is one of the above.
2) Configuring Apache Web server for squirrelmail
If the packages are installed, proceed with configuration.
First, you need to start your web server. Check if it is running
by typing:
ps -ef | grep http | grep -v grep
If nothing shows up, you need to start httpd (i.e, start web server).
Do one of the two:
/etc/rc.d/init.d/httpd restart
or
service httpd restart
I use restart here to make sure that the processes which were running
are killed and then stared from scratch.
If squirrelmail was installed on your machine, there should be
a small file in your /etc/httpd/conf.d called squirrelmail.conf
It contains an Alias:
Alias /webmail /usr/share/squirrelmail
This alias directs Apache to serve URLs like:
https://myexamplemachine.com/webmail
or
http://myexamplemachine.com/webmail
from the /usr/share/squirrelmail directory.
First thing you, which you should do is to comment out the Alias in the
/etc/httpd/conf.d/squirrelmail.conf file, since it is unsafe. It will
allow users to access webmail via HTTP protocol (i.e., no encryption)
and therefore allow them to send user ids and passwords in the open
over the net. Change this line to (just put the # in front of the line):
# Alias /webmail /usr/share/squirrelmail
Then, place this line in the /etc/httpd/conf.d/ssl.conf file under
SSL protected virtual server. Namely, look for the line:
<VirtualHost _default_:443>
in the ssl.conf file and add this line somewhere under DocumentRoot
entry. Also change the ServerName, and ServerAdmin entry to represent
the reality. For example
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
Alias /webmail /usr/share/squirrelmail
ServerName myexamplemachine.com:443
ServerAdmin admin@myexamplemachine.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
The above configuration refers to a default configuration file which comes
with a fresh Apache installation. If you modified the httpd.conf/or ssl.conf
files, you may need to use a different setup for serving squirrelmail.
Then restart the Apache server:
/etc/rc.d/init.d/httpd restart
Now, when you point your browser to:
http://myexamplemachine.com/webmail
you should get the "Object not found" page, but when you point it to
https://myexamplemachine.com/webmail
you should get a login page.
The next thing is to create digital certificates for your web server, unless
you already done this. The digital certificates are located in
/etc/httpd/conf/ssl.* directories. Apache comes with the generic
certificates, but if you want the ones which identify your particular
machine, you need to create them. Read the comments in the Makefile in the
/etc/httpd/conf directory (it is actually a link to a Makefile file which
resides in: /usr/share/ccl/certs/Makefile).
You usually want to create the test certificate (i.e., self-signed
certificate which is not backed up by Thawte or VeriSign Certificate
Authorities).
cd /etc/httpd/conf
mkdir generic_certificates
mv ssl* generic_certificates
mkdir ssl.crt
mkdir ssl.csr
mkdir ssl.key
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
make certreq
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Columbus
Organization Name (eg, company) [My Company Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, your name or your server's hostname) []:www.myexample.com
Email Address []:jkl@ccl.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: -- I did not enter the password --
An optional company name []:
Note that for the Common Name I entered the host name where the Apache is
running.
make testcert
Use the same entries as for make certreq. Then, restart Apache:
/etc/rc.d/init.d/httpd restart
Now... We are still not ready, since the imap server is not activated
and we did not configure squirrelmail.
3) Configuring the xinetd to activate imap on request
Go to directory /etc/xinetd.d and edit imap file by changing the line:
disable = yes
to
disable = no
Since imap is inherently unsafe (it does not run over SSL) you should
block port 143 (the imap port) from external access. You can do it
on the firewall, and you should also restrict access using the imap entry
in the /etc/xinetd.d directory. You could also use TCP wrappers since the
RH9 xinetd daemon is compiled with the libwrap library (you can
check it yourself:
strings -f /usr/sbin/xinetd | grep libwrap
which will find it in the binary), however, it is just more convenient
to restrict access to imap in the /etc/xinetd.d/imap file. If you place the
line:
only_from = 127.0.0.1 localhost
in the /etc/xinetd.d/imap file, imap will respond to requests only from
from the localhost, i.e., from the machine on which it runs.
Also, for the time of testing, I would comment the lines:
# log_on_success += HOST DURATION
# log_on_failure += HOST
and replace then with:
log_on_success = PID HOST EXIT DURATION
log_on_failure = ATTEMPT HOST RECORD
to get debugging information. The imapd log entries should be available in
in /var/log/maillog file.
Then make xinted reread its configuration by killing it with SIGUSR1 signal.
ps -aux | grep xinetd # this will give you the PID number of xinetd
kill -USR1 PID
For example, in my case:
ps -e | grep xinetd
produced:
1310 ? 00:00:00 xinetd
so I did:
kill -USR1 1310
4) Configuring squirrelmail
Now, you need to configure squirrelmail. There is a script which does it.
cd /usr/share/squirrelmail/config
./conf.pl
enter digit to choose an option, S to save data, R to return to main menu
and Q to exit. I did not change all options, and my entries are below:
1. Organization Preferences
1. Organization Name : CCL
2. Server Settings
1 Domain: www.myexample.com
2 IMAP server: 127.0.0.1
3 IMAP Port: 143
4 Use Sendmail/SMTP 2. SMTP
5 SMTP Server : 127.0.0.1
3. Folder Defaults
4. General Options
5. Themes
6. Address Books (LDAP)
7. Message of the Day (MOTD)
8. Plugins
9. Database
Now you are ready to use squirrelmail, i.e., in your browser enter URL:
https://myexample.com/webmail
and you should be offered a page which asks for your UNIX user id
and password. Once you enter it, you should be offered a listing of
your messages in your INBOX. If things do not work, try to restart
all services which are involved, i.e.,:
/etc/rc.d/init.d/sendmail restart
/etc/rc.d/init.d/httpd restart
/etc/rc.d/init.d/xinetd restart
If still not luck, try to verify the installation and configuration.
You may also check the default upload file sizes which PHP supports
(squirrelmail uses PHP). This concerns the maximum attachments you can
use in your outcoming message, and probably also other things.
The PHP default is 2 Megs, which is too small
for me. Edit the file: /etc/php.ini
and change your preferences for
post_max_size =
memory_limit =
upload_max_filesize =
It comes with the small defaults. While I did not dwell into what it all
really means, I have set mine to:
post_max_size = 15M
memory_limit = 18M
upload_max_filesize =15M
and then restarted Apache
/etc//rc.d/init.d/httpd restart
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
Installation/configuration when Squirrelmail and imap run on different machines
=========================================================================
The write-up above assumes that the sendmail program runs on the
same machine as imap and the web server. Below are the modification
for the case where Apache(+squirrelmail) and sendmail(+imap) run on different
machines. For the purpose of the illustration, let assume that the
machine with Web server (and squirrelmail) is called www.myexample.com,
and the machine on which the sendmail (and imap) run, is called
mail.myexample.com.
Unsecure solution
=================
In this solution the squirrelmail talks to the imap server on unencrypted
TCP connection (i.e., passwords and user ids are sent in open).
This is only acceptable when you are behind the firewall and you
trust all users on your network. In fact, you can only trust this
arrangement when you have NO users on your network, i.e., when
mail server and the web server machines are behind the firewall
on a separate subnet, and you do not allow users to log in to these
machines directly. They can only access the Web server via HTTPS.
You will set up the web server as in part 2) above on the machine
www.myexample.com.
You will activate the imap service in xinetd on the mail.myexample.com
machine as in part 3). Remember to restart xinted.
You will configure squirrelmail on www.myexample.com in a similar way
as in point 4), but you will other addresses for imap server and for
SMTP server, namely:
1. Organization Preferences
1. Organization Name : CCL
2. Server Settings
1 Domain: myexample.com (or whatever you want on From: line)
2 IMAP server: mail.myexample.com
3 IMAP Port: 143
4 Use Sendmail/SMTP 2. SMTP
6 SMTP Server : mail.myexample.com
3. Folder Defaults
4. General Options
5. Themes
6. Address Books (LDAP)
7. Message of the Day (MOTD)
8. Plugins
9. Database
On the machine mail.myexample.com you will edit file /etc/mail/access
and add the line:
www.myexample.com RELAY
and convert the access file to the database format (access.db) as:
makemap hash /etc/mail/access.db < /etc/mail/access
Unfortunately... This solution is quite insecure, since passwords
are flying on the wire unencrypted. It is probably more acceptable on the
internal network behind firewall, but if someone breaks to one
of the computers on the internal network (or you have bad guy among
your users), you have to look for another job {:-(}.
Secure Solution
===============
There are many ways of doing this. I chose to use stunnel.
Again... We have 2 machines:
a) Machine with Web Server which has squirrelmail (www.myexample.com)
b) Machine with sendmail which also runs imaps (secure imap).
On the machine www.myexample.com
--------------------------------
1) create certificate for stunnel (it is optional in client mode, but
you may need it one day, anyhow).
cd /usr/share/ssl/certs
make stunnel.pem
....
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Columbus
Organization Name (eg, company) [My Company Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, your name or your server's hostname) []:www.myexample.com
Email Address []:jkl@ccl.net
Certificate was made in /usr/share/ssl/certs/stunnel.pem
2) Create a configuration file for stunnel: /etc/stunnel/stunnel-imap.conf
client = yes
cert = /usr/share/ssl/certs/stunnel.pem
pid = /var/run/stunnel-imap.pid
# sends debug info to /var/log/secure, remove after debugging
debug = 7
[stunnel-imap]
accept = 1143
connect = mail.myexample.com:993
The copy of the /etc/stunnel/stunnel-imap.conf is provided
here.
This configuration tells stunnel to get certificate (if it needs it),
to save its Process Id Number in /var/run/stunnel-imap.pid file
and to save lots of debug information in /var/log/secure file.
3) Make a link in /usr/sbin to have a specific name for this stunnel
(stunnel-imap) process. By giving it a name, you can get another
stunnel for doing something else, and they will not collide with
each another.
cd /usr/sbin
ln -s stunnel stunnel-imap
4) Edit /etc/services and add there a line for a new service in a proper
place:
stunnel-imap 1143/tcp # stunnel passing imap requests over SSL
5) Create boot-up script, call it stunnel-imap, and place it
in the /etc/rc.d/init.d directory. Then install the service by executing:
cd /etc/rc.d/init.d
chkconfig -add stunnel-imap
You can use/modify a script which I came up with. It is given
here.
6) Protect the stunnel by TCP wrappers, so only localhost (127.0.0.1) can
access the tunnel. Place this line in the /etc/hosts.allow file:
stunnel-imap: 127.0.0.1
and in the file /etc/hosts.deny put the following line:
stunnel-imap: ALL
6) Make sure that on the www.myexample.com machine the imap server is
disabled, i.e., if there is a file /etc/xinted.d/imap, it should
have a line:
disable = yes
7) Reconfigure squirrelmail and put the following entries:
cd /usr/share/squirrelmail/config
./conf.pl
1. Domain : www.myexample.com
2. IMAP Server : 127.0.0.1
3. IMAP Port : 1143
4. Use Sendmail/SMTP : SMTP
6. SMTP Server : mail.myexample.com
7. SMTP Port : 25
8. Authenticated SMTP : false
9. POP Before SMTP : false
10. Server : uw
11. Invert Time : false
12. Delimiter : detect
R Return to Main Menu
C. Turn color on
S Save data
Q Quit
8) restart xintetd and start stunnel-imap
cd /etc/rc.d/init.d
./xinetd restart
./stunnel-imap restart
On the machine mail.myexample.com
----------------------------------
Do a similar thing which was required for the unsecure solution,
but activate imaps rather then imap in the /etc/xinetd.d, namely
1) On the machine mail.myexample.com edit file /etc/mail/access
and add the line:
www.myexample.com RELAY
and created the database file needed by sendmail as:
makemap hash /etc/mail/access.db < /etc/mail/access
2) enable imaps in the /etc/xinetd.d directory by changing the
line:
disable = yes
to
disable = no
The imaps is a secure version of IMAP protocol, i.e., it communicates
with the IMAP client (in our case the other end of the stunnel-imap
tunnel) over secure SSL protocol.
Then restart the xinetd as:
/etc/rc.d/init.d/xinetd restart
Discalimer: All of the above is purely stupid, and if you used it,
then it is your fault. To learn how to really do it right, ask your
lawyer.
Jan K. Labanowski, jkl at osc . edu, September 2, 2003