Quantcast

[SM-USERS] Content being encrypted

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[SM-USERS] Content being encrypted

Yasir Malik
Hi,

Is my password and mail being encrypted with the following settings:

PHP 5.0.4 with Openssl module
SquirrelMail 1.5.1 -- CVS
Secure IMAP connecting to IMAPS port 993
No secure SMTP
No SMTP authentication
No TLS service on mail server

Thanks,
Yasir


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SM-USERS] Content being encrypted

Jon Angliss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Yasir Malik,
On Sunday, September 18, 2005, you wrote:

> Hi,

> Is my password and mail being encrypted with the following settings:

> PHP 5.0.4 with Openssl module
> SquirrelMail 1.5.1 -- CVS
> Secure IMAP connecting to IMAPS port 993
> No secure SMTP
> No SMTP authentication
> No TLS service on mail server

Where are you in relation to your SquirrelMail installation? You've
mentioned the OpenSSL module, but are you using it to access
SquirrelMail? If yes, then I'd say it looks pretty encrypted to me.

- --
Jonathan Angliss
<[hidden email]>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFDLkMKK4PoFPj9H3MRAin8AKDBzOD7SRwMixG+n4sKPt6SO3Y6pACgv1rX
W6EvupQ9ppBfqGT/tZJjD/U=
=9TDg
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SM-USERS] Content being encrypted

Tomas Kuliavas
In reply to this post by Yasir Malik
> Hi,
>
> Is my password and mail being encrypted with the following settings:
>
> PHP 5.0.4 with Openssl module
> SquirrelMail 1.5.1 -- CVS
> Secure IMAP connecting to IMAPS port 993
> No secure SMTP
> No SMTP authentication
> No TLS service on mail server

You haven't provided enough details.

Do you use SSL encrypted HTTP connection? Is connection encrypted in
browser? What security algorithm are supported by browser?


--
Tomas


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SM-USERS] Content being encrypted

Yasir Malik
> You haven't provided enough details.
>
> Do you use SSL encrypted HTTP connection? Is connection encrypted in
> browser? What security algorithm are supported by browser?
>
Ok, I used https and a certificate was installed.  However, do I need
https even if SquirrelMail is using the OpenSSL module?  And when I ran
configtest.php, I came across the following message:
ERROR: You have enabled TLS encryption in the config, but the server does
not report STARTTLS capability. TLS is probably not supported.

And indeed, there is no TLS service on the server.

Thanks,
Yasir


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SM-USERS] Content being encrypted

Tomas Kuliavas
>> You haven't provided enough details.
>>
>> Do you use SSL encrypted HTTP connection? Is connection encrypted in
>> browser? What security algorithm are supported by browser?
>>
> Ok, I used https and a certificate was installed.  However, do I need
> https even if SquirrelMail is using the OpenSSL module?  And when I ran
> configtest.php, I came across the following message:
> ERROR: You have enabled TLS encryption in the config, but the server does
> not report STARTTLS capability. TLS is probably not supported.

SquirrelMail uses PHP OpenSSL extension in secure IMAP and SMTP
connections. PHP OpenSSL extension does not secure http traffic coming to
your server.

In webmail interfaces user and password information is transfered in two
places:

1. Using HTTP protocol from browser to webserver.

In order to secure it, you need SSL enabled webserver. If webserver uses
strong encryption, you might have to update browser or crypto libraries on
client machine. older OSes and Netscape browser versions haven't included
strong crypto due to USA export regulations.

2. Using IMAP protocol from webserver to imap server.

Authentication can be secured with STARTTLS, CRAM-MD5, IMAPS and some
other authentication protocols. STARTTLS allows to start TLS encryption in
existing plain text connection. SquirrelMail does not support STARTTLS.
CRAM-MD5 uses special challenge/response protocol (rfc 2195). SquirrelMail
supports it, but you must store plaintext password on imap server in order
to use it. IMAPS is IMAP service secured by SSL layer. In order to use it
you must change IMAP port _and_ Secure IMAP settings in SquirrelMail IMAP
configuration. Currently these settings don't depend on each other. You
can create invalid configuration with IMAP port set to 143 and Secure IMAP
enabled.

Please note that when IMAP server is on the same host as web server, you
are trying to secure local connection. Password is not transfered over
insecure network. If some badguy is sniffing local interface, you should
take your compromised server offline. Only admin user can sniff local
interface.


Other possible security issues - authenticated smtp and pop-before-smtp
connections, database connections in db based setup,
http/ftp/ldap/poppass/sql connections in change password and vacation
plugins, authenticated ldap address book connections, pop3 connections in
mail_fetch plugin, other network connections initiated by third party
plugins.


Think. Draw a diagram that shows all webmail components and find the ones
that are vulnerable.

--
Tomas


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Loading...