Secure Login for Apple WebMail
This week I have been teaching my Mac OS X Server Essentials v10.5, and a question came up: Â What is the use of having security on the directory if you have a clear text login to webmail? Â It's a good question as I have been pointing out default security policies of other services that use clear text passwords, and I have warned against using them. Â In this case, the default setting is in SquirrelMail, the webmail service used by Apple's Mac OS X Server when accessing your email. Â This setting sets the authentication method to "login", which is an insecure method. Â The workbook process during the class has you secure the connection with SSL to protect against harvesting, but there is another way: Â change the authentication method. Â This isn't in the workbook, and so I'm posting this for the benefit of those that wish to have this information. Â SquirrelMail can use other authentication methods, such as CRAM-MD5 and Digest-MD5. Â But to set it up, you need to get into the command line. Â I know, it's a little scary for those using the Mac, but it shows you just how powerful the Mac platform can be when you start looking under the hood at the UNIX core. Â ^_^The Steps:
And that's it! Â SquirrelMail will now start using CRAM-MD5 as an authentication method for your webmail. Â You can now disable your less secure methods and feel comfortable that you have a least one more level of security to protect your user's email, and your user's directory login information.Other things you can do: Â
- Open your Terminal
- Type "sudo /usr/share/squirrelmail/config/conf.pl"
- Select the Server Settings (number 2)
- Select the Authentication Method (number 6)
- Allow it to check your system for available authentication methods (y)
- Type the desired authentication method (cram-md5)
- Save your configuration (S - and requires root access, which is why we sudoed the command to begin with).
- Quit (Q)
- Set up SSL for your webmail connection to protect the connection itself. Â
- Set up a realm to access to login page.