[horde] switching from https to http using imp?

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Mar 10 07:22:52 PST 2003


Quoting Hugo Bouckaert <hugo at geoinformex.com>:
 
> I have installed horde 2.2 with imp 3.2 and turba 1.1 on my linux
> webserver running apache 1.3.27. It runs fine, but I am channeling
> everything through https, as, in order to receive emails with imp using
> imap, people have to supply a username and password. Not using https
> would be very insecure.

Sounds good.
 
> The trouble is that once I am switching to https, encryption of all
> subsequent pages makes using the web mail service very slow. As far as I

Consider faster hardware, or an ssl accelerator card.

> can see, there is not absolute need to keep using https once the person
> has been verified by horde and imp and the mail folder is parsed through
> to the web interface.

That depends on the security level you want to achieve.  Some people would
want the cookies encrypted for each page.  Some might want the actual
email messages encrypted if they have sensitive email.  All depends on your
needs.
 
> Is it possible to switch back to http between the person logging into
> imp and the messages being displayed in the inbox? In other words,

Sure.

> entering a username and password to horde and imp to verify the account
> with the mail server is done using https, but the page that is returned
> i.e. inbox with mail messages switches back to http. From then on, all
> further pages (such as composing a message etc.) are http, not https.

You need to be careful to make sure as you add modules/features you 
encrypt them as needed.  Some examples might be fetchmail or sork,
both of which ask for passwords.  Also modules which *may* do their
own authentication (e.g. imp, gollem).

I always prefer to make everything ssl, so I don't have to worry about
changing urls, new features, etc.  Doing otherwise *might* cause a lot
of work to make sure you stay in compliance over time.

> Is this possible? Are there any security considerations to watch out for
> apart from mail itself not being encrypted?

It is possible.  There are security considerations (such as cookies that
are used for authentication).

> If it can be done, how would
> this switching between https and http be implemented in the php code?

It should be done in your web server configuration, not in php.
 
> Any help or advice will be most appreciated. If there are other
> suggestions about ways of making the imp web mail service less slow,
> that would be greatly appreciated as well.

Since you don't tell us much about your setup, can't help much.  There
is a small (but growing) amount of info in 

http://cvs.horde.org/co.php/horde/docs/PERFORMANCE?login=2&r=1.4

> 
> Thanks
> 
> Hugo

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the horde mailing list