Replying to Rod's post to add more comments to a good reply: Rod Roark said: > On Saturday 03 July 2004 02:05 pm, [EMAIL PROTECTED] wrote: >> i don't know the first thing about web mail (or web anything, for that >> matter). sorry for brain dead questions in advance. >> >> i'm investigating web mail for times where i only have access to >> microsoft windows, and can't install an ssh client. >> >> >> 1. can squirrelmail live side by side with a "normal" MUA like mutt? in >> other words, can one use mutt when at home and squirrelmail "on the >> road"? > > SquirrelMail uses IMAP, so as long as you have an IMAP > server it should be fine.
Also, SquirrelMail permits (through the pop mail plugin) the ability to also pickup mail from multiple pop accounts. SquirrelMail also has a GPG plugin which , by default, permits verification of sender and encryption to others, but by default does NOT support user decrypting messages sent to them, or signing of messages they send. (For obvious reasons.) The security track record for SquirrelMail has been an issue because it is so intensively hammered. One reason is because many places use it and it is a big target, and another is because it is used by "many security minded people." I use SquirrelMail and have two layers of authentication behind an SSL server. An HTAUTH is the first layer to deny people access to the php code and make it difficult to run prepackaged exploits unless they have an htauth account on my box. Next, I have the second layer of authentication which is actually provided by the imap server. SquirrelMail support IMAPS and IMAP but if the server running SquirrelMail is also running the IMAP server, then you can save CPU cycles and memory by just running IMAP. I use SquirrelMail with Courier-imap for many reasons. First the multi-byte character support is pretty good. Second, because courier imap support many, many kinds of authentication. I have my courier imap setup to support its very own authentication in a separate file from all other authentication tokens in its own directory. This permits me to have one password for webmail and another for my shell. This makes me feel more comfortable in using public systems to check my mail. For the most part, I expect any mail I get in plain-text is or has been read by others. Taking this into consideration, my only exposure in theft of credentials is a person deleting mail, or sending mail to someone in my addressbook as "me" or spamming from my box. All of these are risks which I am willing to take in using public stations to check mail. To guard against loss of e-mail, I actually have mail double-delivered to a maildir *and* to an mbox after spam-processing. This permits me to have an archive of mail which is not exposed like my webmail. This of course requires that I periodically purge mbox mail that I have verified receiving. >> 2. how is squirrelmail secure? without https, don't passwords get sent >> out via plaintext? > > Yeah but nothing is stopping you from using HTTPS. And SquirrelMail follows the UNIX way very well; it does its thing very well. If you add https, then encryption is transparent. >> 3. looking at security focus, it seems like squirrelmail has a horrible >> security track record. yet i see very security minded individuals >> using it. what gives? > > Dunno... but in my experience TRULY security-minded people > are rare. Most of us think nothing about the fact that our > paper mail sits in a little unlocked box next to the > sidewalk for much of the day. Or what could I learn about > you by taking the garbage that you leave out on Tuesday > nights? > > I'm pretty sure my unencrypted email is way more secure than > any of that.... SquirrelMail is secure enough for my purposes. I do not use it to read gpg encrypted messages or sign messages I send. For this, I still use mutt and I do not use mutt unless I ssh, and I do not ssh unless it is from a machine that I trust. (Meaning, I only ssh to my server from machines that I have installed and control.) In cases like DefCon and other security conferences I will sometimes create new imap accounts and triple-split mail to also include this extra account after spam processing. Then I can use this account, and when I get back, destroy it. To make things more interesting for SquirrelMail, I have taken the task of trying to add some Section508 support to the forms and tables that it generates. This is a lot of work, but will help people who might have ADA issues and make it possible for more groups which accept federal funding to use it. -ME _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
