Skip to content

Security: tobybryans/src

Security

docs/SECURITY 

                               Security Precautions

The following precautions will help protect your Exim4U installation from hostile
intruders and other potential security issues.

1) Use https instead of http for web access to all files. https encrypts all data
using SSL/TLS which protects against eavesdropping and man-in-the-middle attacks.

2) Install Exim4U into an unpredictable path (i.e. don't call it exim4u). The Exim4U
INSTALL file prescribes the install path as exim4u and so you may want to consider
changing the path to something else.

3) Use complex passwords that would be difficult to defeat with dictionary attacks,
etc. Passwords should contain upper and lower case letters, numbers, symbols and
other characters.

4) If possible, password protect the entire Exim4U installation with Apache .htaccess
files. However, this may not be viable if you are allowing individuals to change their
own passwords, etc. Alternatively, you may use mod_auth_mysql so that the .htaccess
file accesses the Exim4U user names and passwords from the MySQL database whereby any
valid Exim4U user can authenticate via the .htaccess file. The following are two examples
of using .htaccess to protect your installation.

Example 1 - Basic .htaccess file requiring user authentication:

		AuthUserFile /etc/httpd/htpasswd
		AuthName "Exim4U Email Admin"
		AuthType Basic
		require valid-user

	In the above example, the user name(s) and password(s) are stored in a text file
	named /etc/httpd/htpasswd which would appear similar to this:

		UserName:EncryptedPassword
		exim4u:a4rfybtFoxxsR

	The file with the user name and password may be generated with the following command:

		htpasswd -c /etc/httpd/.htpasswd <user name>

	This command will then initiate a dialog for specifying the password.

Example 2 - Advanced .htaccess file using mod_auth_mysql on RedHat/CentOS to access the
            Exim4U user names and passwords from the MySQL database:

		Options -Indexes
		AuthName "Exim4U Email Admin"
		AuthType Basic
		require valid-user
		AuthMySQLEnable On
		AuthMySQLSocket /var/lib/mysql/mysql.sock
		AuthMySQLDB exim4u
		AuthMySQLUser exim4u
		AuthMySQLPassword "DatabasePassword"
		AuthMySQLPwEncryption Crypt
		AuthMySQLUserTable users
		AuthMySQLNameField username
		AuthMySQLPasswordField crypt
		AuthMySQLNoPasswd off

    	When using this feature you must install mod_auth_mysql from the RedHat/CentOS repos
    	as follows:

		yum install mod_auth_mysql

    	For more information on mod_auth_mysql refer to: http://modauthmysql.sourceforge.net/

    	Consult your documentation for how to implement mod_auth_mysql with other versions of
    	Unix/Linux.

There aren’t any published security advisories