Squirrel mail and http vulnerabilities

Because of a recent site intrusion, I have a colleague that is now insists that all of our connections to squirrel mail or mailbox management be conducted through https. Well, I can connect to Squirrel webmail by implicitly typing https in the URL, but I don’t know how I can enforce this compliance from all my email users. Is there a way to limit web mail under my account to https? How serious is the vulnerability of typing email passwords into an http form?

I think you’ll need Support to go in and tweak the config for your webmail.domain.tld address on your behalf so that any http requests are directed to https.

You can go ahead and ask Support to be sure, but I don’t believe this is actually a setting which we can change on a per-domain basis.

If that’s the case you could install your own webmail client so that you have the ability to force https on the webmail sub-domain. You’ll require an Unique IP and SSL certificate to get things running correctly.

A hack around this expense might be to turn off webmail for the domain which will free up the webmail subbie name and allow you to add your own webmail.domain.tld sub-domain as a redirect to https://webmail.dreamhost.com/src/login.php where users may be able to log in using their complete user@domain.com : password combo.

Please note that this workaround is just an on-the-spot thought – I haven’t actually tried this myself. Make sure you can login and read your mail at the dreamhost address over a testmail.domain.tld redirect before hacking away at your default webmail subbie.

sXi’s suggestion should work, but users will be taken away from your own domain. This breaks the illusion of self-hosting.

You can also just add a subfolder “domain.com/webmail” and redirect it to https://webmail.domain.com. Though to cover users who use both http and https, you will also need to select Secure Hosting (not compatible with free CloudFlare), so they can go to either http://domain.com/webmail or https://domain.com/webmail. Secure Hosting by itself does not require a unique IP, only a trusted certificate does - and no DreamHost-hosted webmail has that anyway. Secure, just not trusted.

In my case, I want a signed certificate for the assurance of my users - to eliminate the certificate errors. So, I:
1 - Installed my own copy of webmail at domain.com/WebMail (yea, I like the URL fancy),
(1b - created the folder domain.com/webmail with a redirect to https://www.domain.com/WebMail,)
2 - Enabled Secure Hosting on domain.com,
3 - Added a unique IP for a later trusted certificate (which also simplified setup before transferring DNS, since I already had a skeleton site elsewhere),
3 - Disabled the DreamHost webmail,
4 - Set up the domain webmail.domain.com as a forwarder to https://domain.com/WebMail,
5 - Enabled Secure Hosting on webmail.domain.com.

This works for now. I’ll see if it continues without issues after adding a trusted certificate, which I haven’t done yet.
Until #5, http://webmail.domain.com worked, but I got a “bad_httpd_conf” error when trying https://webmail.domain.com.

If someone has a better/simpler option, please add it to the thread. It seems the suggestion for purchased trusted certificates for the normal https://webmail.domain.com was rejected for lack of votes.

We switched to gmail managed domains back in the spring 2013. Costs more but I can let Goggle manage security. Also, around that time, DH had a string of bad luck with email stability, which really put pressure on me to try something different.