Hi there, Looking over Sqwebmail, I'm quite impressed by its features and flexibility...I like it! Got a question for all out there and especially for Sam. It regards the safest way of setting of Sqwebmail. We're gonna compile using ssl and are running an apache server to serve up https requests. Its nice to know that if a user breaks in, they don't get system passwords, but the vcheck pass's instead... I've heard various people claim that Sqwebmail *may* have a security flaw...well, I haven't any substaniated proof yet out there, but it seems that everyone's claims are due to the cgi-bin usage, and I have a solution to that. Here's my idea : I put an htaccess (apache's folder password) on the root directory of the sqwebmail. All my users (my 50 or so people in the company, get a company password) Then they of course, still have to login like any other user through their indivdual mail/pass combination. This basically means the users need to know two passwords, and that is not a problem for my users. Also, let's assume my users are friendly and don't leak the password in/voluntarily. I know this doesn't really solve things in case there's a cgi-bug....but it does avoid any *possible* cgi security problem. Ie. evil bob knows of a way to breakin through the cgi-bin. But, he has to go through the htaccess password protected page. Assuming a good password on that page, this will at minimum cause deterent and will have him pick another target. Sam, what do you think? I'd really love to hear any ones ideas out there... Best regards, Thomas
