We should ship squirrelmail with an _easy_ way for admins to make it SSL-only. In fact, we should probably even make that the default. That means either shipping the secure_login plugin, or appropriate magic in the httpd config file.
I need some context here, what is the beginning of the actual problem?
Context: I set up webmail for some people on one of my machines. To my horror, I realised a few days later that I was actually letting them log in over unencrypted connections! I fixed it by fetching and installing the secure_login plugin for Squirrelmail (http://www.squirrelmail.org/plugin_view.php?id=61), which silently redirects them to https whenever they come in with an http URL -- there may have been better solutions. There are two problems -- first the fact that it was allowing insecure logins by default, and then the fact that it wasn't immediately obvious how to fix it (and my solution involved downloading additional plugins).
We can't be doing this by default, because https requires manual configuration, and people upgrading the squirrelmail package will suddenly have broken configurations where squirrelmail is redirecting them to something that doesn't work out of the box. We can't protect everyone from themselves. I think a bigger problem is that it was a mistake for us to ship squirrelmail from the beginning...
Not doing it by default is perhaps acceptable -- we ought to have a clear way for people to do it if they want to though, without having to download extra plugins. It's not as if setting up https is _that_ hard.
I personally use this in my httpd.conf. Would you be satisfied if I shipped this as an example comment with some description of how to use it within the squirrelmail package? RedirectMatch ^/webmail[/](.*)$ https://togami.com/webmail/$1 Only complication is that I am uncertain where exactly this line needs to go in httpd.conf to be effective. I think I may add this as a %doc called something like SQUIRRELMAIL-FEDORA-SECURE-README or something. This I think is better than shipping a plugin in our package, which would still need to be manually enabled somehow.
Better if you can use something which automatically replaces the 'togami.com' with an appropriate hostname -- but yeah, that would be sane enough. I could never get that to work for _only_ http URLs and not _also_ do it for https URLs (recursively), which is why I resorted to the secure_login plugin. But if you give a decent example, that would be fine.
Any suggested httpd.conf syntax to automatically replace the domain name?
Since I'm no longer maintainer of this package I'm reassigning it to the default owner of the package.
suggestion: /etc/httpd/conf.d/squirrelmail.conf: Alias /webmail /usr/share/squirrelmail <Directory /usr/share/squirrelmail> RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </Directory> any objections?
I've updated reporter's email in cc-list