Of course, our own SSL certificate cannot secure the customer's webmail under this scheme, because the webmail hostname is outside our domain. If the customer domain has its own SSL certificate, problem solved. If not, I see two options in addition to the suggestion by pdontthink:
1) Use OpenSSL to sign a certificate for their webmail host yourself. Browsers will not trust you as a signer by default and will display a man-in-the-middle warning, but this will probably not be an issue unless your customer is providing e-mail accounts to the general public. Your customers can just manually add you as a trusted signer to their browser's CA list after manually verifying your certificate's public key. You can provide instructions on how to do this in major browsers. This is our solution. (This scheme also allows each customer to customize the login page with their own branding.)
2) Have a master Squirrelmail host under your domain, and require the customer to login with their full e-mail address. This eliminates the bother with initial manual trust decisions, but has branding and usability drawbacks. The Vlogin plug-in will hopefully be able to parse out the correct IMAP username for your setup. If not, the necessary code changes should be relatively uncomplicated. The source corpi for both SM and Vlogin seem to be well-structured for the most part.
Either of these schemes will facilitate reading/composing e-mail via SSL in addition to a secure login.
Dwight Tovey wrote:
I've been running SquirrelMail on my site under HTTPS for some time with no problems. Now I'm hosting a couple of NameVirtualHosts and the owners of those domains have asked for email access. SquirrelMail + the vlogin plugin would be great for them, but because of the way NameVirtualHosts work, I can't provide HTTPS support for them on their domains. Multiple IP address are not an option at this point.
I'm not too concerned with the email messages running in the clear, but I
would rather not have the login running unencrypted. Anybody have any
suggestions on how I can let them have their own login page with secure
logins (without getting the "Security Error" warnings from the certificate
not matching the domain name)?
-- Will Berry Co-founder, Second Brain website hosting http://www.secondbrainhosting.com/
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
