> hobie of RMN <ho...@rumormillnews.com> wrote: >> Restating: I've installed the *.deb of Squirrelmail 1.4.23 SVN but don['t >> see where to direct the browser in order to engage with it. Anyone know...? > The package should contain a configuration making it available via http(s)://server.name/squirrelmail > But how and if this works depends solely on your local server > configuration. Look into /etc/squirrelmail/apache.conf and where and how this is included into /etc/apache2 on your system. > Other than that, without knowing your local setup, no more help can really be given. > Please make sure to have version 1.4.23~svn20120406-2+deb8u4 installed, which was the last security update available. > But, I must stress again: This version still has known security errors and if you intent to open this version on Jessie to the internet, the chances are very high your system will get hacked and compromised. GrüÃe, > Sven.
Thanks, Sven. Yes, /etc/squirrelmail/apache.conf was the key. Debian's arrangement did not make that file known to apache on installation. A soft link to /etc/apache2 did the trick, and https://[mailhost.example].com/squirrelmail has it up and running. :) Yes, squirrelmail_2%3a1.4.23~svn20120406-2+deb8u4_all.deb is what I've installed. That said, I'm frequently seeing this error message: "This page request could not be verified and appears to have expired." I understand this to be from the implementation of 'security tokens' and that I can make it go away by setting $disable_security_tokens = true in config.php, but this opens possibility for CSRF attacks, I've read. How serious a problem would that be, and are there other protections I could put in place that would make up for those tokens? --hobie
