I.T. Security and Linux Administration

Sep 1 2011   1:05PM GMT

SquirrelMail PHP Hack to Allow Domain Selection

Eric Hansen Eric Hansen Profile: Eric Hansen

For anyone who has used SquirrelMail, you know you pretty much always have to enter “@domain.tld” after the username to log in and use it.  Its one thing when you’re running it for one domain, but it makes it even worse when you have multiple domains using the same script as well.  This alone got me wanting to hack SquirrelMail to be less troublesome, so I can get into mail faster.  With a few file changes, I was able to do this without worry.

Version Information: SquirrelMail v1.4.22 ; PHP v5.3.8
Total time needed: ~10 minutes, ~5 if you’re just copying and pasting.

Before continuing on with this journey, please note that my set up is a virtual mail system, with domains and such stored in a MySQL database.  I can’t guarantee that this will work for Maildir (and other non-MySQL) set ups, but any changes needed should be minimal, if at all.  Also, throughout all of this, there could be other ways to do this, but this is how I got it working for me.

The first file we are going to work on is “src/login.php”.  First, at around line 121, you should see the following line:

$loginname_value = (sqGetGlobalVar(‘loginname’, $loginname) ? htmlspecialchars($loginname) : ”);

You can put the following line of code pretty much anywhere before the form template code starts, but I put it after the $loginname_value:

$domain_value = str_replace(“www.”, “”, $_SERVER[‘HTTP_HOST’]);

What this does is strip out “www.” if it’s found in $_SERVER[‘HTTP_HOST’] (which returns the domain name).

After the above, you’ll see the following around line 168:

$domain_form_name = ‘domain’;

After the above, you’ll want to put this line:

$domain_form_name = ‘domain’;

This specifies the name for the domain selection form item (you can name it whatever you want, but if you do change it, you’ll have to make the appropriate changes later on as well).

After this, about line 193 or so, I put in the following block of code:


* Used for domain choosing only…!


$domains = array();

$i = 0;

mysql_connect(“localhost”, “user”, “pw” ) or die(“Unable to connect to database.”);


$q = mysql_query(“SELECT domain FROM domain LIMIT 1,30”);

while($r = mysql_fetch_array($q)){

$domains[$i] = $r[‘domain’];





* End use for domain choosing


Essentially this populates an array of the domains available on my server.  You’ll have to modify this accordingly, as everyone’s setups might be different.  The reason why we store the domains in an array is because SquirrelMail’s HTML template system uses an array for the select drop-down menu, which you’ll see later on.

Below is the last change we have to make to src/login.php.  The bold parts is what I added in, but you can display this any way you wish:

html_tag( ‘td’,

_(“Name:”) ,

‘right’, ”, ‘width=”30%”‘ ) .

html_tag( ‘td’,

addInput($username_form_name, $loginname_value, 0, 0, ‘ onfocus=”alreadyFocused=true;”‘),

‘left’, ”, ‘width=”70%”‘ )

) . “\n” .

html_tag(  ‘tr’,

html_tag( ‘td’,


‘right’, ”, ‘width=”30%”‘ ) .

html_tag( ‘td’,

addSelect($domain_form_name, $domains, $domain_value), ‘left’, ”, ‘width=”70%”‘ )

) . “\n” .

After making these changes, the login page will look something like this (sensitive information blurred out):

Now that this file is done, there’s only one more file we have to edit, and that’s src/redirect.php.  This file is sort of a front-end to the authentication, and is more easy to update than login.php.  Now you can place the following after the “sqGetGlobalVar(…);” calls if you like, but I placed it conditional checks as well (around line 57):

/** Modify login to include domain **/

sqGetGlobalVar(‘domain’, $domain_name);

$login_username = $login_username . “@” . $domain_name;

/** End domain hack **/

What this does is get the “domain” variable sent from the form submission, and stores it inside of $domain_name variable.  Then, as $login_username (further up in the script) as already given the username submitted, we tack on the “@domain.tld” portion to it.  Then, the redirect.php script will send $login_username, which will look like “username@domain.tld”, to the authentication mechanisms SqiurrelMail has internally, and go from there.

All in all, having to loop through a lot of files and such, it took me about 30 minutes to set this up.  One thing to note though, is that if you try updating the script, make sure you have a backup of these two files.  They will be overwritten.  A safe thing to do is maybe also run a diff check on the new and current files, and see if the update is worth it.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • [Revisited] SquirrelMail PHP Hack - I.T. Security and Linux Administration
    [...] Security and Linux Administration « SquirrelMail PHP Hack to Allow Domain Selection Sep 1 2011   9:09PM [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: