I recently had to upgrade SquirrelMail and make it https-only in order to address a vulnerability reported by a PCI scan i.e username and password were sent over http/non-secure channel. The SquirrelMail Docs were pretty useful to upgrade from 1.4.8 to 1.4.22. The above manual has all the information you need in order to upgrade from really old versions to the latest as well.
Simplest way to force https-only is by adding a RewriteRule as this article suggests. If you have installed it without using a VirtualHost. If not, you can rely on this plugin called Secure Login. That’s exactly what I did. INSTALL text file supplied with the plugin has all the instructions you need in order to complete installation.
Post installation, I had to update two configuration settings with the plugin folder (plugins/secure_login/config.php
). This is required in order to continue with https after authentication. So, I set $change_back_to_http_after_login
to 0
and $remain_in_https_if_logged_in_using_https
to 1
.
Perhaps, you need not change these two as the documentation said, it should work in http after authentication. It didn’t work for me though and I had to make it completely https.