Tree [r14457] / trunk / squirrelmail / plugins / mail_fetch /
History



File Date Author Commit
README 2010-06-21 pdontthink [r13950] Fixed minor vulnerability in Mail Fetch plugin ...
class.mail_fetch.php 2014-01-01 pdontthink [r14420] Happy 2014
config_default.php 2014-01-01 pdontthink [r14420] Happy 2014
constants.php 2014-01-01 pdontthink [r14420] Happy 2014
fetch.php 2014-01-21 pdontthink [r14437] Variable name correction
functions.php 2014-01-21 pdontthink [r14437] Variable name correction
index.php 2014-01-01 pdontthink [r14420] Happy 2014
options.php 2014-01-21 pdontthink [r14437] Variable name correction
setup.php 2014-01-01 pdontthink [r14420] Happy 2014

Read Me

Mail Fetch

Downloads mail from a pop3 server to your SquirrelMail account.

Features
========

* Copies messages from remote server
* Saves server, alias, username, and password in prefs file...
* Remembers where to resume downloading messages if
  your pop server supports UIDL.
* Optionally deletes mail from the remote server.
* Allow an infinite amount of remote servers
* Optional to not save password - prompt on check
* Save messages into a local IMAP folder instead of INBOX
* Check mail during login (Needs SM 1.1.3 or older).
* Check mail during folder refreshes.
* Allows gettext translations.


Description
===========

Feel like grabbing your messages from a different mail server into
SquirrelMail?  This might be able to help.


Configuration
=============

Under the options you can add, delete or modify server list where
fetching mail.  For each server you can set also username and password;
if you leave password blank, the password whore required when you fetch
mail.  Make sure "Leave Mail On Server" is checked if you do not want
Mail_Fetch to delete it from the remote server.  Once configured,
click 'Fetch' in the SquirrelMail menu to get your mail; you can fetch
mail from all server instead or from only one by selecting the options
dispayed.

If you want to check mail periodicaly choose "Check mail during login"
or "Check mail during folder refresh". Of course passwords have to be
entered in order for this to work.

In order to secure a little bit the system, pop3 passwords can be encrypted.
The encryption key may be defined in to places. The first, and more secure,
is in the httpd configuration as an enviromental variable called MF_TIT
only accesible from the SquirrelMail directory.

the way you can do this from apache is adding the following directives to
httpd.conf (supposing that SquirrelMail is located at /usr/local) or an
included configuration file:

<Directory "/usr/local/squirrelmail">
    SetEnv MF_TIT "MailFetch Secure for SquirrelMail 1.x"
</Directory>

Of course, you should replace the text inside double quotes with the key
you want to (some kind of secret text). A please remember that the file
where you decided to place this must be root only readable.

The second way is to edit functions.php and look for:

    if( !isset( $MF_TIT ) ) {
        $MF_TIT = "MailFetch Secure for SquirrelMail 1.x";
    }

Once again change the text "MailFetch Secure for SquirrelMail 1.x"
with a secret text.

Please note that you must redefine passwords each time you change the key.

To maintain compatibilty with older systems, mail_fetch can work with old
pref files, with no encrypted passwords. If this occurs, you'll see that
the "Encrypt Password" checkbox in the option page is not checked. If you
reenter account's passwords the system will switch to encrypted mode.


Security
========

By default, the user is not allowed to enter a non-standard POP3 port
number when configuring an external server with this plugin.  This prevents
the use of this plugin as a port scanner against other servers.  However,
if you need to allow users to access a POP3 service running on a non-
standard port, you may create a "config.php" file by copying "config_example.php"
and editing the list of allowable port numbers therein.  If "ALL" is added
to the list of allowable port numbers, then there will be no restriction
on port numbers whatsoever.  Be aware that although this may not represent
any security threat to servers elsewhere on the Internet that does not
already exist (other port scanners are freely available), if your server
resides on a network behind a firewall, this could allow a malicious user
to scan the servers and services behind your firewall that they'd normally
not have access to.

The user will also not be allowed to enter server addresses starting
with "10.", "192.", "127." and "localhost" by default.  This prevents users
from being able to scan an internal network for the presence of other servers
they are not allowed to access.  If other server addresses should be banned,
or this list is too restrictive, you may create a "config.php" file by copying
"config_example.php" and then edit the list of blocked server addresses
therein.


Future Work
===========

* Add IMAP server stealing

* Limit number of pop accounts


Installation
============

Go back to the main directory, run configure and add the plugin.

Some plugin settings can be adjusted in config/mail_fetch_config.php or
plugins/mail_fetch/config.php files. 

See plugins/mail_fetch/config_sample.php


Note for mod_gzip users
=======================

As fetching module shows information while fetching is taking place, it
is a good idea to disable compression for that operation. The way to do
this with mod_gzip is:

mod_gzip_item_exclude       file fetch.php


Note for Newmail Plugin users
=============================

In order to Newmail plugin detect new mails during folder refreshes
make sure that Mail_Fetch is listed first that Newmail in the
SM configuration. To do so you only have to remove Newmail plugin
and then add it again.


Credits
=======

This plugin has been originally created by Tyler Akins, with contributions
from Philippe Mingo, Tomaso Minelli and Joshua Pollak. It's now maintained
by the SquirrelMail Project Team.