Re: dpkg SquirrelMail on Jessie
> hobie of RMN <hobie@rumormillnews.com> wrote:
>> Restating: I've installed the *.deb of Squirrelmail 1.4.23 SVN but don['t
>> see where to direct the browser in order to engage with it. Anyone
know...?
> The package should contain a configuration making it available via
http(s)://server.name/squirrelmail
> But how and if this works depends solely on your local server
> configuration. Look into /etc/squirrelmail/apache.conf and where and how
this is included into /etc/apache2 on your system.
> Other than that, without knowing your local setup, no more help can
really be given.
> Please make sure to have version 1.4.23~svn20120406-2+deb8u4 installed,
which was the last security update available.
> But, I must stress again: This version still has known security errors
and if you intent to open this version on Jessie to the internet, the
chances are very high your system will get hacked and compromised.
Grü�e,
> Sven.
Thanks, Sven. Yes, /etc/squirrelmail/apache.conf was the key. Debian's
arrangement did not make that file known to apache on installation. A soft
link to /etc/apache2 did the trick, and
https://[mailhost.example].com/squirrelmail has it up and running. :)
Yes, squirrelmail_2%3a1.4.23~svn20120406-2+deb8u4_all.deb is what I've
installed.
That said, I'm frequently seeing this error message: "This page request
could not be verified and appears to have expired." I understand this to
be from the implementation of 'security tokens' and that I can make it go
away by setting $disable_security_tokens = true in config.php, but this
opens possibility for CSRF attacks, I've read.
How serious a problem would that be, and are there other protections I
could put in place that would make up for those tokens?
--hobie
Reply to: