Installing Squirrelmail

My wife has been after me for some time to provide a way for her to check her e-mail when she's away from home. Geek that I am, I had always relied on bringing my laptop that also has Linux installed and just using secure shell (ssh) to access the mail server. I just have to remember to open up port 22 on the server when I'm traveling and then a text based e-mail client like pine works fine. I didn't think this would work that well for her since she runs XP (boo, hiss) on her laptop and even an ssh client like putty would still have left her at the Linux command line which didn't seem like a good idea.

I did a little research and ran across squirrelmail. Besides having a cute logo, it seemed to meet our needs and it was available as an RPM so all I had to do was "yum install squirrelmail" and then figure out how to configure it. Getting it working wasn't too bad although I did run into a problem of my own making. I run apache as user apache but group mail since that seems ease some of the issues I ran into when setting up dSPAM as our spam filter. squirrelmail expected apache and itself to run as apache:apache but that was a big deal and a quick chown -R apache:mail in /usr/share/squirrelmail got squirrelmail operational. The other permission change I needed was in /var/lib/php where the session directory needed to also be owned by group mail.

The next challenge was a little trickier. I wanted to only allow squirrelamil connections over https. I understand that the login uses a secure protocol but I also wanted the mail transfers to be secure. We do a lot on on-line banking and such and I don't like the idea of having any information related to our money going across who knows who's network in plain text. Complicating this is I only get one IP address from our ISP so setting up a separate IP address for https wasn't an option.

The default CentOS apache installation (probably the same for RHEL) sets up a default https capability. Interestingly, this set up seems to work with virtual hosts even though https doesn't since the SSL protocol encapsulates http instead of the other way around and the virtual host protocol uses information in the http headers to keep track of which virtual host a request is supposed to go to. That is, I can put in a virtual host name on my server (e.g., https://mail.davenjudy.org) and apache sets up an https session. I'm guessing that I'm missing something here and it doesn't really work completely correctly but experimenting with it will have to wait.

I tried several different atempts to set up a redirect to https for squirrelmail and this is what finally seemed to work. In /etc/httpd/httpd.conf, I have the following stanza within my default host configuration:

<Directory "/webmail">
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://davenjudy.org/webmail [L]
</Directory>

I also had to add within the default SSL configuration file within /etc/httpd/conf.d/ssl.conf:

# --- SquirrelMail Configuration --- #
Alias /webmail /usr/share/squirrelmail
<Directory "/usr/share/squirrelmail">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

This seems to work as any attempt to connect to http://davenjudy.org/webmail gets redirected to https://davenjudy.org/webmail and all webmail traffic goes over a secure connection; not just the login.

Update: I had a botched update from CentOS 4.5 to 4.6. I haven't isolated the problem as of the time of this update (17 December 2007) but yum seg faulted during what turned out to be the initial "yum update" that was supposed to take me from 4.5 to 4.6. It managed to corrupt my rpm database so I did a rpm --rebuilddb that also initially bombed. I re-ran the rebuild and eventually got a working rpm database with several duplicate packages installed including httpd-suexec. I eventually ended up doing a yum erase on anything httpd related and then re-installing the packages including squirrelmail. Not unexpectedly given my uninstall, all of the conf files got renamed to .rpmsave (at least they weren't overwritten). I think I got squirrelmail back up and running.

Cheers,
Dave