On Sun, Nov 25, 2001 at 01:20:28PM +0100, Branko IvanoviU wrote: > Hello group, > > I would like to ask if anyone has some expirience working with or security > auditing WebMail program, written in PHP, called SquirrelMail. As I can see > in version 1.06 and 1.2.0rc2 it is using IMAP, which I consider as highly > insecure protocol. Correct me please if I`m wrong. If it`s a bad choice for > WebMail access, then what are alternatives?
Security issues aside, I think at the moment SquirrelMail is a fairly poor choice for a scalable webmail application. It is/was very wasteful in its use of IMAP connections, as it connects FOUR TIMES to the IMAP server when you log on. A typical session where one reads mail and writes a response causes 8-10 connections or so IIRC. If thousands of people are using the webmail server at a time it can overwhelm the mail server backend... Unless they've recently overhauled its session management to make it more efficient. But no, I wouldn't consider IMAP a "highly insecure protocol". Don't let bad experiences with bad IMAP server software color your judgment of the entire protocol. We've had more security problems with POP3... Even if you really think it's a broken protocol, it's a very simple matter to limit IMAP connections to the server only from the webmail front-end by judicious use of firewalling rules. -- Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311 Programmer, Inter.Net Philippines +63(917) 4458925 http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8 Heute die Welt und Morgen das Sonnensystem!
