While many of you enjoy the benefits of bargain basement Linux Apache web hosting services, not everyone is blessed (and sometimes cursed) with the cPanel. A user-friendly, Apache-for-dummies control panel system that helps you manage your site without having to become a Linux guru. Ensim and Plesk are two other common browser-based website management systems you may have seen.
Depending on the paranoia of your host provider, cPanel by default comes bundled with three open source browser-based email programs: NeoMail, Horde and SquirrelMail. Applications that can really come in handy when:
- members of your congregation are in a foreign country on a summer missions trip;
- you’re work at a place that disallows access to external POP3 email; and/or
- your church is providing free email to a full-time missionary;
- some mixture of the above.
Even for those of you with cPanel reason #2 can become problematic for those of you behind strict firewalls as browser-based email is delivered via port 2082 or 2083 – something sure to set off bells and whistles for those type-AA security administrators among you.
TCP/IP Ports for Newbies
Yeah okay, I realize that I may have just lost some of you with talk of ports. Very quickly, the Internet transmits information over a mechanism referred to as TCP/IP. Activities such as browsing, ftp and email each have their own ports/channels/addresses/whatever so you can use the same pipeline. Here is a quick reference table that I hope will clarify this:
With the port-o-madness issues out of the way, below are some possible solutions to help you provide email to your summer missionaries, avoid firewall issues at work, and to keep church-related email on the church’s webserver.
Real World Need
When Chuck Holton and I were in Jordan, we were a bit wary about using email and even blogging because we, or at least I, knew that text entered in an HTTP-based form is generally transmitted plain-text. Being in the Middle-East, even though we found Jordan immensely safe, we opted to practice various security practices.
The first thing we discovered was that some of the hotels blocked communications with company that provides Internet access to our hosting company (a.k.a. upstream provider). To get around this, and to help obfuscate our activities, we would change the Proxy setting on the web browser while we used it, then would set the browser back to the default setting once done.
Next, we would whenever possible, use HTTPS as opposed to HTTP. The former is sometimes mistakenly referred to by an encryption method HTTPS employs: Secure Socket Layer or SSL. Regardless of how you identify it, this is the mechanism that is used by reputable e-commerce sites when asking for your credit card and other sensitive information. It can also be used for anything else you view or submit online; in our case, we used this for secure email transmissions.
We did run into one firewall which denied access to Ports 2082 & 3. It was that scenario that left me wanting for a solution that runs on the default HTTP port of 80. So with my wife ‘n’ kid out of town this week, I decided to see if I could:
- Install a browser-based email package
- Create and install an SSL Certificate
- Secure the email package using SSL
So far, so good, I’ve had the time to install a number of browser-based email packages. I opted for SquirrelMail for the following reasons:
- active OpenSource community;
- didn’t take a PhD in Computer Science to install and configure;
- offers numerous, useful plug-ins;
- easy to use;
- easy to modify;
- easy to extend.
From the Linux/Bash, secure shell command line:
tar -zxvf squirrelmail-1.4.3a.tar.gz
mv squirrelmail-1.4.3a $HOME/www/squirrelmail
At this point, I followed the Quick-n-Dirty installation instructions available at the SquirrelMail website. Viola, online browser-based email that let me use the same POP3 email account I use at home via my client-based email program, Outlook Express.
One feature I wish was provided in more OpenSource distributions was a very useful was a nifty little Perl script that provides the user with a text-based, menu-driven means of modifying your configuration file (Ben, Mena, Anil are you listening?).
Within the next week or so, I’ll write about using SquirrelMail via SSL. Until then, here are some things you can do to collude the ‘signature’ of the application.
Most of the following ‘collusion‘ steps, which I warn you now, can leave big nasty bullet holes in your foot, are put in place to avoid detection from firewalls that throw warnings based upon key words such as “Mail” or “Webmail.”
First thing is to use a directory name other than SquirrelMail. Something that won’t stick out like a sore thumb if and when the security officer peruses his/her usage logs. For example:
mv squirrelmail-1.4.3a $HOME/www/sewing
The next thing is to rename the file webmail.php to something like ‘tips.php‘. This however means changing the source code for any and all SquirrelMail files that may use/call webmail.php. For this, I go back to an old article “Global replace using find and xarg“:
find /home/YOURACT/www/sewing -name “*.php” | grep “tips.php”
cp $HOME/www/sewing/src/webmail.php $HOME/www/sewing/src/tips.php
What this does is give you a URL signature that reads:
Granted, this doesn’t obscure some of the arguments used by
webmailtips.php, nor does it take into account that any messages sent this way are still transmitted in plaint-text. With that in mind I WOULD STRONGLY ADVISE AGAINST depending on this collusion technique alone when trying to protect missionaries working as Doctors in Christian-hostile countries.
That said, it may be enough for those of you traveling and/or at work where your firewalls won’t discourage use of port 2082/3 and/or browser-based email. Just make sure to change the proxy settings on the browser first.
Okay, now if you don’t mind, I need to get my notes together on SSL so we can transmit data securely.