June 7, 2009

Horde Webmail Security

For those using Plesk 9.x, Horde naively allows webmail logins via HTTP (in-secure) or HTTPS (secure). HTTP log-ins are not recommended as username and password information is sent in clear text across the Internet.

In the following example we’ll configure access to http://webmail.yourdomain.com to automatically re-direct to http://webmail.yourdomain.com.

NOTE: These instructions are specific to Plesk’s implementation of Horde but should work on any Horde 3.1.7 installation. Simply locate Horde’s “conf.php” file and adjust the parameters shown below.

[root@youserver /]# nano -w /etc/psa/webmail/horde/horde/conf.php

<?php

$conf[‘debug_level’] = E_ERROR;
$conf[‘max_exec_time’] = 0;
$conf[‘use_ssl’] = 1;
$conf[‘server’][‘name’] = $_SERVER[‘SERVER_NAME’];
$conf[‘server’][‘port’] = 443;
$conf[‘compress_pages’] = true;
$conf[‘umask’] = 077;
$conf[‘session’][‘name’] = ‘Horde3’;
$conf[‘session’][‘cache_limiter’] = ‘nocache’;
$conf[‘session’][‘timeout’] = 0;
$conf[‘session’][‘use_only_cookies’] = true;
$conf[‘cookie’][‘domain’] = $_SERVER[‘SERVER_NAME’];
$conf[‘cookie’][‘path’] = ‘/’;
$conf[‘sql’][‘persistent’] = false;
$conf[‘sql’][‘hostspec’] = ‘localhost’;
$conf[‘sql’][‘username’] = ‘horde’;
$conf[‘sql’][‘socket’] = ‘/var/lib/mysql/mysql.sock’;
$conf[‘sql’][‘protocol’] = ‘unix’;
$conf[‘sql’][‘database’] = ‘horde’;

For other Horde security tricks read this.