CCL Home Page
Up Directory CCL README.html

Installing squirrelmail on RedHat Linux RH9.

The squirrelmail comes with the Redhat 9 distribution. It is a collection
of PHP scripts which can work under Apache Web Server and allow you to read
your mail via Web interface. It asks for your user id (Linux user id) and
user password and then operates on your mailbox using imap.
There are several open source solutions for Linux to read e-mail via
Web. Some may be even better (though squirrelmail is great), but my choice
of squirrelmail was mainly driven by the fact that it comes with RedHat Linux,
and you do not have to compile, install, etc... It is done...  

Why use "webmail" type solutions rather than a Mail facility of most
advanced browsers (which can directly connect to the secure IMAP server
on your mail gate)? My reasons are listed below:

   i) Setting up browser Mail and Newsgroups facility takes some time.
      If you want to read your mail from different computers (e.g., on
      the road in Internet cafes) you would need to set-up the mail
      account (or profile) in each browser, before you can access your
      mailbox and mail gateway. While it not complicated, it is really
      not an option if you want to quickly (and occasionally) use friend's
      computer to check your mail. You would probably mess up his/her setup,
      and it would take you at least 5 minutes to click on all necessary
      menu items and enter required hostnames and ports provided that you
      know what you are doing... Squirrelmail does not require
      any modification or setup changes for your browser. You access it like
      a regular Web page. It requires, however, that you have cookies and
      JavaScript enabled in the browser, which in fact is a standard situation.

  ii) Another problem is that IMAP port (secure or unsecure) is usually
      blocked by firewalls, while access to Web server is not.
      Oh well... Companies which run VPN often, block HTTPS access
      (and other encrypted protocols) to non-company computers, since
      they want to read/monitor what you write/send]. Opening IMAP
      port on a firewall to general public is a policy decision.
      This would have to be done in this case, though. Even if you
      only want to read mail from home, your home computer is probably
      assigned a dynamic IP address via DHCP protocol, and you cannot
      know its address in advance.

 iii) Moreover, to be able to send mail from the browser via your mail
      gateway, you need to allow mail relaying from browser machine in your
      mail gateway. If you wanted to allow unrestricted access from any
      browser, you would need to allow all computers to relay through you
      mail gateway, which is not acceptable (you would end up relaying
      spam for spammers). While there are ways around it, they are
      not necessarily easy to implement.

By using webmail type interface like squirrelmail, you avoid these problems.
You browser is only a USER INTERFACE, while the web server machine is the
one which communicates with IMAP and sendmail program. You only need to
authorize a single machine to connect to IMAP and relay sendmail. In fact,
if your web server and mail gateway is on the same subnet, they are most
likely already authorized to talk to each other.


There are a few things to keep in mind: 
   - squirrelmail does not support imaps (i.e., secure, SSL based,
     Internet Message Access Protocol with SSL), to my knowledge.
     Y also ou have to use HTTPS protocol to communicate between
     Web browser and Web server since you are sending your user Id and
     Password over the net, and it better be encrypted. Also, the IMAP
     server has to be protected against access from outside. While in my case,
     the port 143 is blocked on my firewall, I will still use access
     control built into xinetd to restrict IMAP access only to the
     localhost/127.0.0.1 (i.e., intracomputer TCP connection).

   - you should not really use squirrelmail and other mail client (say
     pine) at the same time, since pine, for example, moves your system
     mailbox (i.e., mailbox located in /var/spool/mail/your_user_name) to
     your home directory (as mbox). The imap will not see it there.
     There are probably many ways around it, like creating links
     (Squirrelmail will allow you to create folders and will look under
     /home/yourname/mbox, so you can create links), but I did not study
     the matter. The same is true with accessing e-mail via Mozilla
     mail/newsgroup utility and IMAPS (secure IMAP on port 993). It
     results in different locations of folders like Send, Draft, Trash, etc.
     Again, you need probably to make links or play with config files,
     e.g., edit the /usr/share/squirrelmail/config/config_default.php
     or files xxx.pref in /var/lib/squirrelmail/prefs/ directory for
     individual users. 

Installation/configuration if Apache and sendmail are on the same machine
=========================================================================

1) Check what is installed:
    rpm -qa squirrelmail  (in my case: squirrelmail-1.2.11-1)
    rpm -qa imap          (imap-2001a-18)
    rpm -qa httpd         (httpd-2.0.40-21.3)

   I made updates to the system in late August using apt - rpm
   (to read more on how to install apt - rpm, check my write-up:
    http://www.ccl.net/cca/software/UNIX/updating-redhat/).
   I assume that you have a clean installation (i.e., not an upgrade
   from previous RH Linuces) and full installation (Custom/Install Everything)
   of RedHat 9, and that the patches/updates were applied. If not,
   some things may not work... If you have some earlier packages,
   please install updates. If you do not have these packages,
   go to the http://www.redhat.com/mirrors.html web page, and
   retrieve them from the ...redhat/linux/9/en/os/i386/RedHat/RPMS directory,
   namely:
        squirrelmail-1.2.11-1
        imap-devel-2001a-18
        php-imap-4.2.2-17
        imap-2001a-18
        httpd-2.0.40-21.3
        redhat-config-httpd-1.0.1-18
        httpd-devel-2.0.40-21.3
        httpd-manual-2.0.40-21.3
   And then install them asL
     rpm -Uhv package-name*.rpm
   where package-name is one of the above.


2) Configuring Apache Web server for squirrelmail
   If the packages are installed, proceed with configuration.
   First, you need to start your web server. Check if it is running
   by typing:
     ps -ef | grep http | grep -v grep 
   If nothing shows up, you need to start httpd (i.e, start web server).
   Do one of the two:
     /etc/rc.d/init.d/httpd restart
   or 
     service httpd restart

   I use restart here to make sure that the processes which were running 
   are killed and then stared from scratch.

   If squirrelmail was installed on your machine, there should be
   a small file in your /etc/httpd/conf.d called squirrelmail.conf
   It contains an Alias:
        Alias /webmail /usr/share/squirrelmail
   This alias directs Apache to serve URLs like:
        https://myexamplemachine.com/webmail
      or 
        http://myexamplemachine.com/webmail
   from the /usr/share/squirrelmail directory. 
   First thing you, which you should do is to comment out the Alias in the
   /etc/httpd/conf.d/squirrelmail.conf file, since it is unsafe. It will
   allow users to access webmail via HTTP protocol (i.e., no encryption)
   and therefore allow them to send user ids and passwords in the open
   over the net. Change this line to (just put the # in front of the line):
     #  Alias /webmail /usr/share/squirrelmail   
   Then, place this line in the /etc/httpd/conf.d/ssl.conf file under
   SSL protected virtual server. Namely, look for the line: 
    <VirtualHost _default_:443>
   in the ssl.conf file and add this line somewhere under DocumentRoot
   entry. Also change the ServerName, and ServerAdmin entry to represent
   the reality. For example

<VirtualHost _default_:443>

#  General setup for the virtual host
DocumentRoot "/var/www/html"
Alias /webmail /usr/share/squirrelmail
ServerName myexamplemachine.com:443
ServerAdmin admin@myexamplemachine.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

   The above configuration refers to a default configuration file which comes
   with a fresh Apache installation. If you modified the httpd.conf/or ssl.conf
   files, you may need to use a different setup for serving squirrelmail.
   Then restart the Apache server:

     /etc/rc.d/init.d/httpd restart

   Now, when you point your browser to:
      http://myexamplemachine.com/webmail
   you should get the "Object not found" page, but when you point it to
      https://myexamplemachine.com/webmail
   you should get a login page.

   The next thing is to create digital certificates for your web server, unless
   you already done this. The digital certificates are located in
   /etc/httpd/conf/ssl.* directories. Apache comes with the generic
   certificates, but if you want the ones which identify your particular
   machine, you need to create them. Read the comments in the Makefile in the
   /etc/httpd/conf directory (it is actually a link to a Makefile file which
   resides in: /usr/share/ccl/certs/Makefile).

   You usually want to create the test certificate (i.e., self-signed
   certificate which is not backed up by Thawte or VeriSign Certificate
   Authorities).

     cd /etc/httpd/conf
     mkdir generic_certificates
     mv ssl* generic_certificates
     mkdir ssl.crt
     mkdir ssl.csr
     mkdir ssl.key
     /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
     make certreq

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Columbus
Organization Name (eg, company) [My Company Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, your name or your server's hostname) []:www.myexample.com
Email Address []:jkl@ccl.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    -- I did not enter the password -- 
An optional company name []:

   Note that for the Common Name I entered the host name where the Apache is
   running.

     make testcert
   Use the same entries as for make certreq. Then, restart Apache:

    /etc/rc.d/init.d/httpd restart


   Now... We are still not ready, since the imap server is not activated
   and we did not configure squirrelmail.

3) Configuring the xinetd to activate imap on request

   Go to directory /etc/xinetd.d and edit imap file by changing the line:
     disable = yes
   to
     disable = no

   Since imap is inherently unsafe (it does not run over SSL) you should
   block port 143 (the imap port) from external access. You can do it
   on the firewall, and you should also restrict access using the imap entry
   in the /etc/xinetd.d directory. You could also use TCP wrappers since the 
   RH9 xinetd daemon is compiled with the libwrap library (you can
   check it yourself:
      strings -f /usr/sbin/xinetd | grep libwrap

   which will find it in the binary), however, it is just more convenient
   to restrict access to imap in the /etc/xinetd.d/imap file. If you place the
   line:

     only_from = 127.0.0.1 localhost

   in the /etc/xinetd.d/imap file, imap will respond to requests only from
   from the localhost, i.e., from the machine on which it runs.
   Also, for the time of testing, I would comment the lines:
#        log_on_success  += HOST DURATION
#        log_on_failure  += HOST
   and replace then with:
        log_on_success  = PID HOST EXIT DURATION
        log_on_failure  = ATTEMPT HOST RECORD
   to get debugging information. The imapd log entries should be available in
   in /var/log/maillog file.

   Then make xinted reread its configuration by killing it with SIGUSR1 signal.

   ps -aux | grep xinetd     # this will give you the PID number of xinetd
   kill -USR1 PID 

   For example, in my case:
       ps -e | grep xinetd 
   produced: 
       1310 ?        00:00:00 xinetd

   so I did:
       kill -USR1 1310

4) Configuring squirrelmail

   Now, you need to configure squirrelmail. There is a script which does it.

    cd /usr/share/squirrelmail/config
    ./conf.pl


  enter digit to choose an option, S to save data, R to return to main menu
  and Q to exit. I did not change all options, and my entries are below:

1.  Organization Preferences
     1. Organization Name    : CCL
2.  Server Settings
     1 Domain:        www.myexample.com
     2 IMAP server:   127.0.0.1
     3 IMAP Port:     143
     4 Use Sendmail/SMTP    2. SMTP    
     5 SMTP Server        : 127.0.0.1
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books (LDAP)
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database


Now you are ready to use squirrelmail, i.e., in your browser enter URL:
    https://myexample.com/webmail
and you should be offered a page which asks for your UNIX user id
and password. Once you enter it, you should be offered a listing of
your messages in your INBOX. If things do not work, try to restart
all services which are involved, i.e.,:

    /etc/rc.d/init.d/sendmail restart
    /etc/rc.d/init.d/httpd restart
    /etc/rc.d/init.d/xinetd restart


If still not luck, try to verify the installation and configuration.

You may also check the default upload file sizes which PHP supports
(squirrelmail uses PHP). This concerns the maximum attachments you can
use in your outcoming message, and probably also other things.
The PHP default is 2 Megs, which is too small
for me. Edit the file: /etc/php.ini
and change your preferences for 
post_max_size  = 
memory_limit = 
upload_max_filesize = 
It comes with the small defaults. While I did not dwell into what it all 
really means, I have set mine to:
post_max_size  = 15M
memory_limit = 18M
upload_max_filesize =15M

and then restarted Apache
/etc//rc.d/init.d/httpd restart


[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Installation/configuration when Squirrelmail and imap run on different machines
=========================================================================

The write-up above assumes that the sendmail program runs on the 
same machine as imap and the web server. Below are the modification
for the case where Apache(+squirrelmail) and sendmail(+imap) run on different
machines. For the purpose of the illustration, let assume that the
machine with Web server (and squirrelmail) is called www.myexample.com,
and the machine on which the sendmail (and imap) run, is called
mail.myexample.com.

Unsecure solution
=================
In this solution the squirrelmail talks to the imap server on unencrypted
TCP connection (i.e., passwords and user ids are sent in open).
This is only acceptable when you are behind the firewall and you
trust all users on your network. In fact, you can only trust this
arrangement when you have NO users on your network, i.e., when
mail server and the web server machines are behind the firewall
on a separate subnet, and you do not allow users to log in to these
machines directly. They can only access the Web server via HTTPS.

You will set up the web server as in part 2) above on the machine
www.myexample.com.

You will activate the imap service in xinetd on the mail.myexample.com
machine as in part 3). Remember to restart xinted.

You will configure squirrelmail on www.myexample.com in a similar way
as in point 4), but you will other addresses for imap server and for
SMTP server, namely:


1.  Organization Preferences
     1. Organization Name    : CCL
2.  Server Settings
     1 Domain:        myexample.com  (or whatever you want on From: line)
     2 IMAP server:   mail.myexample.com
     3 IMAP Port:     143
     4 Use Sendmail/SMTP    2. SMTP    
     6 SMTP Server        : mail.myexample.com
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books (LDAP)
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database


On the machine mail.myexample.com you will edit file /etc/mail/access
and add the line:

www.myexample.com   RELAY

and convert the access file to the database format (access.db) as:

   makemap hash /etc/mail/access.db < /etc/mail/access


Unfortunately... This solution is quite insecure, since passwords
are flying on the wire unencrypted. It is probably more acceptable on the
internal network behind firewall, but if someone breaks to one
of the computers on the internal network (or you have bad guy among
your users), you have to look for another job {:-(}.

Secure Solution
===============
There are many ways of doing this. I chose to use stunnel.
Again... We have 2 machines: 
  a) Machine with Web Server which has squirrelmail (www.myexample.com)
  b) Machine with sendmail which also runs imaps (secure imap).

On the machine www.myexample.com
--------------------------------

1) create certificate for stunnel (it is optional in client mode, but
   you may need it one day, anyhow).

     cd /usr/share/ssl/certs
     make stunnel.pem

....
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Columbus
Organization Name (eg, company) [My Company Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, your name or your server's hostname) []:www.myexample.com
Email Address []:jkl@ccl.net


   Certificate was made in /usr/share/ssl/certs/stunnel.pem

2) Create a configuration file for stunnel: /etc/stunnel/stunnel-imap.conf
 

client = yes

cert = /usr/share/ssl/certs/stunnel.pem
pid = /var/run/stunnel-imap.pid
# sends debug info to /var/log/secure, remove after debugging
debug = 7   

[stunnel-imap]
accept = 1143
connect = mail.myexample.com:993


   The copy of the /etc/stunnel/stunnel-imap.conf is provided
   here.

   This configuration tells stunnel to get certificate (if it needs it),
   to save its Process Id Number in /var/run/stunnel-imap.pid file
   and to save lots of debug information in /var/log/secure file.

3) Make a link in /usr/sbin to have a specific name for this stunnel
   (stunnel-imap) process. By giving it a name, you can get another
   stunnel for doing something else, and they will not collide with
   each another.

     cd /usr/sbin
     ln -s stunnel stunnel-imap


4) Edit /etc/services and add there a line for a new service in a proper
   place:

stunnel-imap          1143/tcp      # stunnel passing imap requests over SSL



5) Create boot-up script, call it stunnel-imap, and place it
   in the /etc/rc.d/init.d directory. Then install the service by executing:

     cd /etc/rc.d/init.d
     chkconfig -add stunnel-imap
   
   You can use/modify a script which I came up with. It is given 
   here.
   
6) Protect the stunnel by TCP wrappers, so only localhost (127.0.0.1) can
   access the tunnel. Place this line in the /etc/hosts.allow file:

stunnel-imap: 127.0.0.1


and in the file /etc/hosts.deny put the following line:

stunnel-imap: ALL
    

6) Make sure that on the www.myexample.com machine the imap server is
   disabled, i.e., if there is a file /etc/xinted.d/imap, it should
   have a line:

       disable = yes


7) Reconfigure squirrelmail and put the following entries:


    cd /usr/share/squirrelmail/config
    ./conf.pl


1.  Domain               : www.myexample.com
2.  IMAP Server          : 127.0.0.1
3.  IMAP Port            : 1143
4.  Use Sendmail/SMTP    : SMTP
6.    SMTP Server        : mail.myexample.com
7.    SMTP Port          : 25
8.    Authenticated SMTP : false
9.    POP Before SMTP    : false
10. Server               : uw
11. Invert Time          : false
12. Delimiter            : detect

R   Return to Main Menu
C.  Turn color on
S   Save data
Q   Quit


8) restart xintetd and start stunnel-imap

   cd /etc/rc.d/init.d
   ./xinetd restart
   ./stunnel-imap restart


On the machine mail.myexample.com
----------------------------------

Do a similar thing which was required for the unsecure solution,
but activate imaps rather then imap in the /etc/xinetd.d, namely

1) On the machine mail.myexample.com edit file /etc/mail/access
   and add the line:

      www.myexample.com   RELAY


   and created the database file needed by sendmail as:

      makemap hash /etc/mail/access.db < /etc/mail/access


2) enable imaps in the /etc/xinetd.d directory by changing the
   line:

     disable = yes


   to

     disable = no

   The imaps is a secure version of IMAP protocol, i.e., it communicates
   with the IMAP client (in our case the other end of the stunnel-imap 
   tunnel) over secure SSL protocol.

   Then restart the xinetd as:

      /etc/rc.d/init.d/xinetd restart



Discalimer: All of the above is purely stupid, and if you used it,
then it is your fault. To learn how to really do it right, ask your
lawyer.

Jan K. Labanowski, jkl at osc . edu, September 2, 2003
Modified: Wed Mar 10 20:51:46 2004 GMT
Page accessed 203967 times since Tue Sep 2 23:35:37 2003 GMT