Bug 183189

Summary: RFE: Ship secure_login plugin by default.
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: squirrelmailAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwmw2, eric.eisenhart, wtogami
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-01 08:48:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Woodhouse 2006-02-27 11:31:50 UTC
We should ship squirrelmail with an _easy_ way for admins to make it SSL-only.
In fact, we should probably even make that the default. 

That means either shipping the secure_login plugin, or appropriate magic in the
httpd config file.

Comment 1 Warren Togami 2006-02-27 15:13:36 UTC
I need some context here, what is the beginning of the actual problem?


Comment 2 David Woodhouse 2006-02-27 15:24:41 UTC
Context: I set up webmail for some people on one of my machines. To my horror, I
realised a few days later that I was actually letting them log in over
unencrypted connections!

I fixed it by fetching and installing the secure_login plugin for Squirrelmail
(http://www.squirrelmail.org/plugin_view.php?id=61), which silently redirects
them to https whenever they come in with an http URL -- there may have been
better solutions.

There are two problems -- first the fact that it was allowing insecure logins by
default, and then the fact that it wasn't immediately obvious how to fix it (and
my solution involved downloading additional plugins).

Comment 3 Warren Togami 2006-02-27 15:44:22 UTC
We can't be doing this by default, because https requires manual configuration,
and people upgrading the squirrelmail package will suddenly have broken
configurations where squirrelmail is redirecting them to something that doesn't
work out of the box.

We can't protect everyone from themselves.  I think a bigger problem is that it
was a mistake for us to ship squirrelmail from the beginning...


Comment 4 David Woodhouse 2006-02-27 15:48:08 UTC
Not doing it by default is perhaps acceptable -- we ought to have a clear way
for people to do it if they want to though, without having to download extra
plugins. 

It's not as if setting up https is _that_ hard.

Comment 5 Warren Togami 2006-02-27 15:54:50 UTC
I personally use this in my httpd.conf.  Would you be satisfied if I shipped
this as an example comment with some description of how to use it within the
squirrelmail package?

RedirectMatch ^/webmail[/](.*)$ https://togami.com/webmail/$1

Only complication is that I am uncertain where exactly this line needs to go in
httpd.conf to be effective.  I think I may add this as a %doc called something
like SQUIRRELMAIL-FEDORA-SECURE-README or something.

This I think is better than shipping a plugin in our package, which would still
need to be manually enabled somehow.

Comment 6 David Woodhouse 2006-02-27 16:05:17 UTC
Better if you can use something which automatically replaces the 'togami.com'
with an appropriate hostname -- but yeah, that would be sane enough.

I could never get that to work for _only_ http URLs and not _also_ do it for
https URLs (recursively), which is why I resorted to the secure_login plugin.
But if you give a decent example, that would be fine.

Comment 7 Warren Togami 2006-02-27 18:00:51 UTC
Any suggested httpd.conf syntax to automatically replace the domain name? 

Comment 9 Martin Bacovsky 2009-04-28 17:21:08 UTC
Since I'm no longer maintainer of this package I'm reassigning it to the default owner of the package.

Comment 10 Michal Hlavinka 2009-05-26 13:01:38 UTC
suggestion:
/etc/httpd/conf.d/squirrelmail.conf:

Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
  RewriteEngine        on
  RewriteCond          %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

any objections?

Comment 11 Michal Hlavinka 2009-06-09 06:34:52 UTC
I've updated reporter's email in cc-list