Bug 183189 - RFE: Ship secure_login plugin by default.
Summary: RFE: Ship secure_login plugin by default.
Alias: None
Product: Fedora
Classification: Fedora
Component: squirrelmail
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-02-27 11:31 UTC by David Woodhouse
Modified: 2009-07-01 08:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2009-07-01 08:48:30 UTC
Type: ---

Attachments (Terms of Use)

Description David Woodhouse 2006-02-27 11:31:50 UTC
We should ship squirrelmail with an _easy_ way for admins to make it SSL-only.
In fact, we should probably even make that the default. 

That means either shipping the secure_login plugin, or appropriate magic in the
httpd config file.

Comment 1 Warren Togami 2006-02-27 15:13:36 UTC
I need some context here, what is the beginning of the actual problem?

Comment 2 David Woodhouse 2006-02-27 15:24:41 UTC
Context: I set up webmail for some people on one of my machines. To my horror, I
realised a few days later that I was actually letting them log in over
unencrypted connections!

I fixed it by fetching and installing the secure_login plugin for Squirrelmail
(http://www.squirrelmail.org/plugin_view.php?id=61), which silently redirects
them to https whenever they come in with an http URL -- there may have been
better solutions.

There are two problems -- first the fact that it was allowing insecure logins by
default, and then the fact that it wasn't immediately obvious how to fix it (and
my solution involved downloading additional plugins).

Comment 3 Warren Togami 2006-02-27 15:44:22 UTC
We can't be doing this by default, because https requires manual configuration,
and people upgrading the squirrelmail package will suddenly have broken
configurations where squirrelmail is redirecting them to something that doesn't
work out of the box.

We can't protect everyone from themselves.  I think a bigger problem is that it
was a mistake for us to ship squirrelmail from the beginning...

Comment 4 David Woodhouse 2006-02-27 15:48:08 UTC
Not doing it by default is perhaps acceptable -- we ought to have a clear way
for people to do it if they want to though, without having to download extra

It's not as if setting up https is _that_ hard.

Comment 5 Warren Togami 2006-02-27 15:54:50 UTC
I personally use this in my httpd.conf.  Would you be satisfied if I shipped
this as an example comment with some description of how to use it within the
squirrelmail package?

RedirectMatch ^/webmail[/](.*)$ https://togami.com/webmail/$1

Only complication is that I am uncertain where exactly this line needs to go in
httpd.conf to be effective.  I think I may add this as a %doc called something

This I think is better than shipping a plugin in our package, which would still
need to be manually enabled somehow.

Comment 6 David Woodhouse 2006-02-27 16:05:17 UTC
Better if you can use something which automatically replaces the 'togami.com'
with an appropriate hostname -- but yeah, that would be sane enough.

I could never get that to work for _only_ http URLs and not _also_ do it for
https URLs (recursively), which is why I resorted to the secure_login plugin.
But if you give a decent example, that would be fine.

Comment 7 Warren Togami 2006-02-27 18:00:51 UTC
Any suggested httpd.conf syntax to automatically replace the domain name? 

Comment 9 Martin Bacovsky 2009-04-28 17:21:08 UTC
Since I'm no longer maintainer of this package I'm reassigning it to the default owner of the package.

Comment 10 Michal Hlavinka 2009-05-26 13:01:38 UTC

Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
  RewriteEngine        on
  RewriteCond          %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

any objections?

Comment 11 Michal Hlavinka 2009-06-09 06:34:52 UTC
I've updated reporter's email in cc-list

Note You need to log in before you can comment on or make changes to this bug.