Thursday, April 23, 2009

Secure Login for Apple WebMail

This week I have been teaching my Mac OS X Server Essentials v10.5, and a question came up:  What is the use of having security on the directory if you have a clear text login to webmail?  It's a good question as I have been pointing out default security policies of other services that use clear text passwords, and I have warned against using them.  

In this case, the default setting is in SquirrelMail, the webmail service used by Apple's Mac OS X Server when accessing your email.  This setting sets the authentication method to "login", which is an insecure method.  The workbook process during the class has you secure the connection with SSL to protect against harvesting, but there is another way:  change the authentication method.  

This isn't in the workbook, and so I'm posting this for the benefit of those that wish to have this information.  SquirrelMail can use other authentication methods, such as CRAM-MD5 and Digest-MD5.  But to set it up, you need to get into the command line.   I know, it's a little scary for those using the Mac, but it shows you just how powerful the Mac platform can be when you start looking under the hood at the UNIX core.  ^_^

The Steps:


  1. Open your Terminal

  2. Type "sudo /usr/share/squirrelmail/config/conf.pl"

  3. Select the Server Settings (number 2)

  4. Select the Authentication Method (number 6)

  5. Allow it to check your system for available authentication methods (y)

  6. Type the desired authentication method (cram-md5)

  7. Save your configuration (S - and requires root access, which is why we sudoed the command to begin with).

  8. Quit (Q)



And that's it!  SquirrelMail will now start using CRAM-MD5 as an authentication method for your webmail.  You can now disable your less secure methods and feel comfortable that you have a least one more level of security to protect your user's email, and your user's directory login information.

Other things you can do:  

  1. Set up SSL for your webmail connection to protect the connection itself.  

  2. Set up a realm to access to login page.


Either of these methods will add another level of security to your webmail access.

No comments: