Squirrel mail and http vulnerabilities


#1

Because of a recent site intrusion, I have a colleague that is now insists that all of our connections to squirrel mail or mailbox management be conducted through https. Well, I can connect to Squirrel webmail by implicitly typing https in the URL, but I don’t know how I can enforce this compliance from all my email users. Is there a way to limit web mail under my account to https? How serious is the vulnerability of typing email passwords into an http form?


#2

I think you’ll need Support to go in and tweak the config for your webmail.domain.tld address on your behalf so that any http requests are directed to https.


#3

You can go ahead and ask Support to be sure, but I don’t believe this is actually a setting which we can change on a per-domain basis.


#4

If that’s the case you could install your own webmail client so that you have the ability to force https on the webmail sub-domain. You’ll require an Unique IP and SSL certificate to get things running correctly.

A hack around this expense might be to turn off webmail for the domain which will free up the webmail subbie name and allow you to add your own webmail.domain.tld sub-domain as a redirect to https://webmail.dreamhost.com/src/login.php where users may be able to log in using their complete user@domain.com : password combo.

Please note that this workaround is just an on-the-spot thought – I haven’t actually tried this myself. Make sure you can login and read your mail at the dreamhost address over a testmail.domain.tld redirect before hacking away at your default webmail subbie.


#5

sXi’s suggestion should work, but users will be taken away from your own domain. This breaks the illusion of self-hosting.

You can also just add a subfolder “domain.com/webmail” and redirect it to https://webmail.domain.com. Though to cover users who use both http and https, you will also need to select Secure Hosting (not compatible with free CloudFlare), so they can go to either http://domain.com/webmail or https://domain.com/webmail. Secure Hosting by itself does not require a unique IP, only a trusted certificate does - and no DreamHost-hosted webmail has that anyway. Secure, just not trusted.

In my case, I want a signed certificate for the assurance of my users - to eliminate the certificate errors. So, I:
1 - Installed my own copy of webmail at domain.com/WebMail (yea, I like the URL fancy),
(1b - created the folder domain.com/webmail with a redirect to https://www.domain.com/WebMail,)
2 - Enabled Secure Hosting on domain.com,
3 - Added a unique IP for a later trusted certificate (which also simplified setup before transferring DNS, since I already had a skeleton site elsewhere),
3 - Disabled the DreamHost webmail,
4 - Set up the domain webmail.domain.com as a forwarder to https://domain.com/WebMail,
5 - Enabled Secure Hosting on webmail.domain.com.

This works for now. I’ll see if it continues without issues after adding a trusted certificate, which I haven’t done yet.
Until #5, http://webmail.domain.com worked, but I got a “bad_httpd_conf” error when trying https://webmail.domain.com.

If someone has a better/simpler option, please add it to the thread. It seems the suggestion for purchased trusted certificates for the normal https://webmail.domain.com was rejected for lack of votes.


#6

We switched to gmail managed domains back in the spring 2013. Costs more but I can let Goggle manage security. Also, around that time, DH had a string of bad luck with email stability, which really put pressure on me to try something different.