Gentoo Wiki


Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article

Complete Virtual Mail Server

Getting Started

Basic Mail Setup

Enhanced Mail Services

Anti-Spam Configuration

Anti-Virus Configuration

Log Analyzer

Wrapping it Up

Merge-arrows.gifIt has been suggested that this article be Merged into one article with SquirrelMail.    (Discuss)


This one is dead easy to install. I did want to install as secure site, however I am using name based virtual hosts on Apache and from everything I read, SSL is not supported in this mode. I may go back and install another web server one day but until then… This does not mean there is no security. Squirrel mail does support TLS (SSL) connections when logging into the IMAP server and for SMTP authentication.

[added by Crayon: Clarification on Apache+SSL+name based virtual hosts] It is possible to use SSL with name based virtual hosts, but the limitation is that you can only specify a single certificate for all your virtual hosts and because the certificate is tied to one particular domain (ie one particular virtual host), people accessing the other virtual hosts will see an error on their browser saying certificate is not issued to that host. You can see this happening when you visit for example.

[added by Nasko: Clarification on Apache+SSL+name clarification] It is possible to do it! no errors. You just need a specially crafted certificate as explained here: Vhosts Apache - CAcert Wiki

On with the Squirrelmail install. I turned off the crypt flag as it resulted in additional packages being installed that I did not want here. I also added the vhosts flag as I am using a virtual host configuration. To support spell checking in squirrelmail I also included the ispell package.

# echo "mail-client/squirrelmail -crypt spell vhosts">>/etc/portage/package.use
# emerge squirrelmail ispell

Because I support virtual hosts, webapp-config is required to support installing squirrelmail in the correct directory. In my case I want it in htdocs under the domain that will be hosting the mail server ( in our case), so the command was:

# webapp-config -I -h squirrelmail 1.4.5

In my case this installed squirrelmail in /var/www/

At this point I ran into a problem that took a whole bunch of screwing around to get fixed. Earlier we setup postfix to only allow mail to be sent over an TLS connection by authorized users. To do this we need to connect to the server, issue a STARTTLS command and then send our userid and password. Well that is where the problem lies.

Squirrelmail is dependent on PHP 4.x which does not support issue the STARTTLS command and so you are not able to establish the TLS connection and thus cannot authenticate. Long story short, you can’t send mail. Don’t worry, squirrelmail isn’t the only one that can’t handle this, Outlook Express and a few other mail clients can’t handle this properly either.

There are a few ways to handle this, but the best and most secure approach (at least in my mind) is to have postfix open another socket to listen for secure smtp connections, which is easy to do (once you know the answer). In the postfix file there is already a line in (that is commented out) that will activate this service on port 465 that works just fine.

So if it so easy, then why did it take me so long to figure out? Well, in reality the entry in the file is wrong, along with a lot of stuff you will find written on the web (which goes to show you how many people give advice on things they have never tried). Anyway, in the file the service is identified as “smtps” where as it needs to be called “ssmtp”. You will know if you get this wrong because when you try to restart postfix, it will fail, the log will show an error message about an unknown service and you will not be able to start, stop, reload or do anything with postfix. At this point all you can do is fix the and reboot the machine.

You will also need to uncomment the line for the tlsmgr and change the service from fifo to linux.

Code: /etc/postfix/
#nano /etc/postfix/

ssmtp     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

tlsmgr    unix  -       -       n       300     1       tlsmgr

Restart postfix and then run a netstat –na to be sure that both ports 25 and 465 are listening for a connection.

Code: Re-Starting Postfix
# /etc/init.d/postfix restart
* Stopping postfix...                                           [ ok ]
* Starting postfix...                                           [ ok ]

# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address        Foreign Address         State
tcp     0      0*             LISTEN
tcp     0      0 *             LISTEN
tcp     0      0  *             LISTEN
tcp     0      0  *             LISTEN

Finally, before firing up squirrel mail, we need to make a few configuration changes in its setup. The easiest way to do this is if you have perl installed in your system, to use the configuration utility supplied with Squirrelmail /var/www/ If not, then you will need to directly edit the config.php file in /var/www/

Code: Configuring Squirrelmail
# perl /var/www/

SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>

The key parameters you want to change are under the Server Settings. Below I have shown the items as they are displayed by the utility, with their name from the config.php file shown in brackets at the end of the line.

Code: config.php Settings
1.  Domain                 :			($domain)
2.  Invert Time            : false				($invert_time)
3.  Sendmail or SMTP       : SMTP				($use_sendmail)

IMAP Settings
4.  IMAP Server            :   		($imapServerAddress)
5.  IMAP Port              : 993				($imapPort)
6.  Authentication type    : login				($imap_auth_mech)		
7.  Secure IMAP (TLS)      : true				($use_imap_tls)
8.  Server Software        : other				($imap_server_type)
9.  Delimiter              : detect				($optional_delimiter)

SMTP Settings
4.   SMTP Server           : localhost				($smtpServerAddress)
5.   SMTP Port             : 25					($smtpPort)
6.   POP before SMTP       : false				($pop_before_smtp)
7.   SMTP Authentication   : none				($smtp_auth_mech) //for me not working! after select login looks fine
8.   Secure SMTP (TLS)     : false				($use_smtp_tls)
9.   Header encryption key :					($encode_header_key)


These settings are all you should need to get squirrelmail working. Be sure to take some time to look at the other settings as there are some interesting options for this utility.

With this up and running, I now suggest that you spend a fair bit of time testing. Use squirrelmail and your favourite mail client to test connecting, sending and receiving mail, etc. Be sure to test both valid and invalid connections, passwords, etc. When you have finished testing, you will now have a fully working virtual mail system. You can either choose to stop at this point and enjoy what you’ve done, or if you are up to it, dive in and take the next step to start fine tuning and building on what we’ve done so far.

Note: This way squirellmail does not use secure SMTP or anything. This should be relativly secure, concidering it is beeing run on the same host.

/* I tried using localhost:465 with SMTP Auth login and secure SMTP (TLS) but couldn't get that to work. Not by following this document. Since local sending (via /usr/bin/sendmail) and webmail, I can't test SSL SMTP within the subnet. However that should go under that topic anyhow */

Password change by logged in user can be provided by Change SQL Password plugin. Now some modification in code needed. Some queries not working with Postgres. changes needed in functions.php (password format) and config.php.

         HINT: Salt for crypt() function used in this HOWTO: $1$.2213700

-- 01:40, 12 November 2006 (UTC) Another (easier) way to achieve the goal of encrypted packets on the WAN is to use a front-end proxy for HTTPS. I use pound. With this method, squirrelmail does not need to have any SSL or TLS stuff set up because pound will handle the SSL, and squirrelmail will be dealing with unencrypted traffic only.

In my setup, pound listens on ports 80 and 443. The relevant config looks like this. Notice the BackEnd sections. My apache server (which serves the squirrelmail pages) is on the same machine as the pound server, so I use localhost. The backend machine can be any IP address or FQDN. The port is 81 for normal HTTP requests, and port 82 for HTTPS requests that are decrypted by pound and then sent on to paache in raw HTTP form. I need to set up apache to listen on ports 81 and 82. Since all web requests go through pound, apache is configured to listen to localhost ONLY. Better yet, ports 81 and 82 do not need to be opened on the firewall. Only 80 and 443, the standard web ports, need to be open. If apache and pound are on the same machine, 81 and 82 can be closed even on the LAN.

   # /etc/pound.cfg
   User        "nobody"
   Group       "nobody"
   LogLevel    3
   Alive       30
       Port 80
               Address localhost
               Port    81
               Type    BASIC
               TTL     300
       Port 443
       Cert "/etc/ssl/poundcert.pem"
       AddHeader "X-Forwarded-Proto: https"
       HeadRemove "X-Forwarded-Proto"
           HeadRequire "Host:.**"
               Address localhost
               Port    82
               Type    BASIC
               TTL     300

The SSL certificate was a bit tricky to get right. It's easy enough to make a cert that requires a password, but this is inconvenient in a boot-time service. To make a cert that does not require a password AND works with pound, do this:

   - Follow the steps at
   - cat server.pem > poundcert.pem
   - cat server.crt >> poundcert.pem

These are standard ASCII files, so go ahead and cat or less them to see what you are accomplishing. Pound wants a cert file that contains both the private RSA key and the certificate.

Unfortunately, there is no way to use different certs for different virtual hosts, unless you either 1) use a different port for each cert (and also a different hostname, though it must resolve to the same machine), or 2) use multihoming and have a different IP address for each cert, in which case port 443 will be available for each HTTPS socket. The first method would be an ugly hack (if it's even possible), and the URL would have a non-standard port number in it, which would make users a bit jumpy (yes it works, it's not that bad if you start them on the non-ssl page and forward to the ssl page). The second approach is more desirable. A single physical NIC can have many virtual interfaces in linux, each with their own IP address. I'll add notes when I get this working. There is still the issue of squirrelmail not supporting multiple domains. There may be plugins for this, like vlogin.

Now the apache config. I have both these lines in my /etc/apache2/apache2.conf. The first line is for most of my websites. Apache must listen on a port other than 80 if your front-end proxy is using this port. The second line (with port 82) is for the pound-decrypted HTTPS websites. We need a second port because we'll need two VirtualHost directives for our squirrelmail site: the first one for redirecting HTTP to HTTPS, and one for handling the HTTPS requests that pound decrypts for us. If you try to use the same port for both the redirector and the actual VirtualHost, you'll end up with an endless loop of redirection.

   # /etc/apache2/apache2.conf
       RewriteEngine On
       RewriteCond %{HTTPS} !=on
       RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
       DocumentRoot /usr/share/webapps/squirrelmail/1.4.8/htdocs
   <Directory "/usr/share/webapps/squirrelmail/1.4.8/htdocs">
       Options FollowSymLinks Includes FollowSymLinks ExecCGI
       AllowOverride None
       Order allow,deny
       Allow from all

Pound can do rewriting, but it isn't as good as Apache for this. You'll see weird bugs in squirrelmail if you try to use pound as the rewriting agent. Some links, when clicked, will cause the entire frameset (left bar and content frame) to appear within the original content frame, giving a house-of-mirrors effect.

Retrieved from ""

Last modified: Tue, 19 Aug 2008 11:13:00 +0000 Hits: 16,826