At CMU, we use SquirrelMail for our webmail client. We made some custom modifications to SquirrelMail that other people may be interested in, so here's some quick documentation of what we did.

We have a central web authentication service using Pubcookie. One of our requirements for a webmail client was to use our existing authentication services. Also, we didn't want the webmail servers to have any special (superuser-like) access to the Cyrus servers, so that an attack on the webmail servers couldn't be used to read an arbitrary user's email.

To accomplish these goals, we made some minor modifications to the SquirrelMail source. We replaced the code in SquirrelMail which opens the connection to the IMAP server and authenticates with a custom call that launches imtest, a command line IMAP client which can handle Kerberos authentication.

When you first visit our webmail service, you are redirected by Pubcookie to the Pubcookie login server. The login server prompts for your username and password, validates those against Kerberos and requests an IMAP and SMTP ticket for the appropriate servers, then redirects you back to the webmail server. The Pubcookie Apache module on the webmail server then unpacks your Kerberos tickets to a temporary location, and runs the SquirrelMail PHP code. Our custom modifications to SquirrelMail then launch imtest and have it listen on a UNIX-domain socket. The imtest process uses the IMAP kerberos ticket to authenticate to Cyrus as the end user. SquirrelMail then opens the UNIX domain socket, writes standard IMAP commands out and reads the responses back from Cyrus. The imtest process is allowed to remain in the background for a short period of time, so that on repeated client accesses the overhead of connecting and authenticating is avoided.

A similar method is used for sending SMTP-Auth mail via smtptest.

Patches against SquirrelMail 1.5.1 are attached. Note that you have to set $use_cmu_login = 1; in your config.php file in addition to applying this patch.

• sqmail_cmu_kerberos.patch: CMU patches to SquirrelMail 1.5.1 to support kerberos authentication