SquirrelMail
SquirrelMail is a free, open-source webmail client written in PHP that enables users to access and manage email accounts through a standard web browser, supporting IMAP and SMTP protocols with built-in pure PHP implementations for server communication.[1] It renders all interfaces in HTML 4.0 without requiring JavaScript, ensuring maximum compatibility across diverse browsers and ensuring accessibility from any internet-connected device.[2] Developed initially in 1999 to address the need for a customizable, standards-compliant webmail solution, SquirrelMail quickly became a popular choice for organizations seeking a lightweight email interface.[1] The project, licensed under the GNU General Public License, includes core features such as strong MIME support for handling attachments, integrated address books, folder management, and extensibility through plugins for authentication methods like Yubikey or SMTP.[2] Its design emphasizes simplicity and scalability, allowing deployment on shared hosting environments with minimal server requirements, and it has been used in production systems worldwide, supporting thousands of users.[1] The stable release, version 1.4.22, was issued in July 2011, but the project maintains active development through daily SVN snapshots for both stable (1.4.23-svn) and development (1.5.2-svn) branches, with the most recent updates dated November 18, 2025.[3] Ongoing efforts include compatibility patches for modern PHP versions in the 8.x series and security fixes, such as addressing XSS vulnerabilities in email headers reported in April 2025.[4] While some hosting providers like cPanel discontinued bundled support for SquirrelMail in 2018 due to slower feature updates compared to alternatives, the core project remains available via SourceForge and continues to receive community contributions for bug fixes and enhancements.[5]Overview
Description
SquirrelMail is a free, open-source, standards-based webmail package written primarily in PHP, functioning as both an email client and an optional IMAP proxy server.[6][7] It is licensed under the GNU General Public License version 2.0 or later (GPL-2.0-or-later), allowing unrestricted use, modification, and distribution.[1] The core purpose of SquirrelMail is to enable users to access and manage email accounts through a web interface without requiring JavaScript or dynamic HTML support in browsers.[6] It retrieves messages using the IMAP protocol and sends them via SMTP, ensuring compatibility across a wide range of devices and browsers.[6] In its basic operational model, SquirrelMail renders all pages in pure HTML 4.0 for maximum compatibility, while providing strong MIME support for handling attachments, maintaining address books, and manipulating email folders.[6] The name SquirrelMail originated in 1999 from observations of squirrels in Georgia by its founders, Luke and Nathan Ehresman, who were inspired by the animals' agility during a local volleyball game.[8]Key Features
SquirrelMail provides built-in pure PHP implementations for the IMAP and SMTP protocols, allowing users to retrieve and send emails securely without requiring external libraries or binaries.[6] This design ensures compatibility across various server environments and supports secure connections via optional SSL/TLS encryption for both IMAP retrieval and SMTP submission.[9] The client offers strong MIME compliance, enabling robust handling of attachments and multi-part messages, including the ability to attach multiple files during composition and view them in received emails using standard formats like JPEG or CSV.[10] Users can compose messages with features such as priority settings and read receipt requests, while attachments are encoded in industry-standard MIME to maintain compatibility with diverse email clients.[10] An integrated address book allows storing, editing, and searching personal contacts, with support for both individual user entries and shared address books across multiple users.[11] Folder manipulation tools enable creating, deleting, renaming, subscribing to, and unsubscribing from IMAP mailboxes, facilitating organized email storage with special folders like Trash, Drafts, and Sent.[11] Search functionality permits querying messages across folders using criteria such as keywords, sender, or date ranges, helping users locate specific emails efficiently.[6] Basic security measures include session-based authentication and management to protect user sessions during web access.[6] All interfaces render in pure HTML 4.0 without JavaScript dependencies, promoting accessibility on low-resource devices and legacy browsers.[6]History
Origins and Early Development
SquirrelMail was founded in 1999 by brothers Luke and Nathan Ehresman as an open-source project aimed at providing a simple webmail client. The initiative stemmed from the scarcity of accessible, standards-compliant webmail solutions at the time, particularly those that were easy to install and required minimal server resources. The brothers targeted a niche audience—estimated at about 5% of webmail users—who needed a lightweight option without dependencies on JavaScript or dynamic HTML, emphasizing ease of deployment on basic PHP-enabled servers.[8] The project's name originated from an observation of Georgia's abundant squirrels during the founders' time there; specifically, it was inspired by witnessing a squirrel's unsuccessful attempt to leap 40 feet during a volleyball game, symbolizing agility and resilience in software design. Early development prioritized simplicity and adherence to web standards, with the initial focus on core email functionality using PHP for IMAP and SMTP protocol support. The first public release, version 0.1, occurred on December 14, 1999, marking the project's debut as a functional prototype.[8] Key early contributions came from Paul Joseph Thompson, who provided initial code enhancements and helped shape the project's direction through discussions on its potential as a primary email client. To facilitate open-source collaboration, the project was hosted on SourceForge from the outset, enabling community involvement in its nascent stages. This setup laid the groundwork for SquirrelMail's growth while maintaining its commitment to minimalism and accessibility.[8][12]Release Milestones and Evolution
SquirrelMail achieved its initial stable release with version 1.0 on January 30, 2001, providing core email capabilities such as MIME support for attachments, folder manipulation, and direct IMAP protocol integration without reliance on external libraries.[13] The 1.2 series followed closely, with version 1.2.0 released on December 25, 2001, introducing significant user interface enhancements including collapsible folder trees, a paginator for navigating message lists, draft message storage, and support for multiple sender identities to streamline composition workflows.[13] Version 1.4.0 marked a pivotal advancement on April 3, 2003, delivering major stability improvements like CRAM-MD5 and DIGEST-MD5 authentication mechanisms, TLS encryption for secure connections, and resolutions for persistent issues in attachment handling and folder synchronization.[13] The series culminated in the final official stable release, 1.4.22, on July 12, 2011, which concentrated on critical bug fixes and security patches while introducing no new functionalities. Early feature evolution in the 2000s emphasized usability, with address books added to facilitate contact management and advanced search options enabling filtered queries across folders, dates, and content—capabilities that became standard by the 1.2 and 1.4 releases.[10] Around 2003, spell-checking integration via core plugins, leveraging tools like Aspell, was incorporated to assist users in composing error-free messages directly within the interface.[14] The IMAP proxy, a lightweight C-based server for load balancing and connection caching to optimize performance in high-traffic environments, originated as a separate project in 2002 developed by Dave McMurtrie at the University of Pittsburgh under the name "up-imapproxy."[15] It was officially adopted into the SquirrelMail ecosystem in 2010, enhancing scalability for deployments serving multiple users.[16] Post-2011, official releases ceased, transitioning to Subversion (SVN) maintenance branches like 1.4.23-svn, where community contributions added compatibility patches for PHP 7 and subsequent versions up to 8.1, addressing deprecations and ensuring continued viability on modern web servers. This period reflected a developmental slowdown attributable to maintainer availability constraints, sustained primarily through volunteer-driven security updates and compatibility fixes rather than expansive feature development.[17]Technical Specifications
System Requirements and Platforms
SquirrelMail requires a web server with PHP support, specifically version 4.1.0 or higher for legacy releases, with the stable 1.4.22 supporting up to PHP 5.4; nightly snapshots (1.4.23-svn) and community patches extend compatibility to PHP 8.1 as of November 2025.[18][19][2] As of November 2025, daily SVN snapshots for the stable (1.4.23-svn) and development (1.5.2-svn) branches ensure compatibility with PHP 8.x and incorporate recent fixes.[3] An IMAP server is essential for email access, with compatible options including Dovecot, Cyrus IMAP, and UW-IMAP, all supporting IMAP4rev1 protocol.[18][19] SMTP support is handled natively via PHP, but an SMTP server must be configured separately for outgoing mail.[18] Optional databases such as MySQL or PostgreSQL can be used for storing user preferences and address books, though core functionality relies on file-based storage without requiring a database.[20][21] SquirrelMail operates on various platforms, including Linux distributions like Ubuntu and Red Hat, FreeBSD, macOS via MacPorts or built-in server stacks, and Windows through environments like XAMPP or IIS.[18][22] For scalability, it supports installations with thousands of users, handling hundreds of concurrent connections effectively on servers with at least 1 GB of RAM for large deployments, emphasizing low resource demands suitable for basic Apache or Nginx setups.[19][23] Installation involves unpacking the package into a web-accessible directory and running the configuration script, such as config/conf.pl or setup.php, to specify IMAP and SMTP server details.[18] It maintains broad compatibility by rendering pages in pure HTML 4.0 without JavaScript, supporting legacy browsers, and requires web server SSL modules like mod_ssl for Apache to enable encrypted connections.[19][9][24]Architecture and Protocol Support
SquirrelMail employs a modular codebase written entirely in PHP, designed for scalability and ease of maintenance. This architecture separates the user interface, which renders in pure HTML 4.0 without requiring JavaScript, from the core logic and data access layers, allowing independent development and updates to each component.[6][19] The software provides native support for key email protocols through its pure PHP implementations. It functions as an IMAP4rev1 client, enabling access to mail folders and retrieval of messages from IMAP servers, while using SMTP for outgoing mail transmission. Optional POP3 support is available via configuration for authentication purposes, such as POP before SMTP, though full POP3 client functionality requires plugins.[25][19][25] A key component is the accompanying IMAP Proxy, a C-language server developed specifically for SquirrelMail. This proxy acts as an intermediary, caching persistent IMAP connections to minimize the overhead of repeated logins and enabling load balancing across multiple IMAP backends, which significantly reduces load on the email servers during high-traffic scenarios.[16] Data handling in SquirrelMail relies on its self-contained pure PHP IMAP library, eschewing external dependencies to ensure broad compatibility. State management occurs via PHP sessions, which can operate without cookies by appending session IDs to URLs if cookie support is disabled in the browser or server configuration.[19][6][26] For security, SquirrelMail incorporates built-in input sanitization using the htmlfilter library to strip potentially malicious HTML elements from user inputs and email content, mitigating risks like cross-site scripting. It supports STARTTLS encryption for both IMAP and SMTP connections, requiring PHP 5.1.0 or later, to secure data in transit. Additionally, the proxy mode enhances isolation by allowing the web server to communicate solely with the proxy, preventing direct exposure to the backend IMAP infrastructure.[27][27][25]Extensibility
Plugins System
SquirrelMail employs a hook-based plugin framework that enables developers to extend its core functionality by injecting custom PHP code at predefined points without modifying the main codebase. This system utilizes functions such asdo_hook() to execute plugin code during specific events in the application's flow, allowing modifications to elements like the login process or message composition form. Plugins are registered by adding their names to the $plugins array in the config/config.php file, which activates them upon configuration.[28][29]
The framework supports code injection at numerous points, including hooks such as login_cookie for login-related actions and compose_form for altering the email composition interface. Compatibility with SquirrelMail versions is ensured through version-checking mechanisms in plugin setup files, preventing activation of incompatible add-ons. All plugins must be written in PHP to integrate seamlessly with the webmail client's architecture.[28][29]
Among the plugins distributed with SquirrelMail are several core ones that provide essential extensions, such as SquirrelSpell, which integrates spell-checking capabilities using Aspell or PSpell libraries to review outgoing messages. The Delete Move Next plugin adds navigation links in message views for quick actions like "Delete & Next," streamlining folder management and was incorporated into the core starting with version 1.2. Check Quota displays users' mailbox storage usage in a graphical format, supporting IMAP quotas, filesystem checks, and cPanel integrations to help monitor limits.[30][31][32]
Over 200 third-party plugins are available, categorized by function on the official SquirrelMail plugins directory, including tools for spam filtering like SpamCop, which adds a "Report as Spam" link to message views for submitting suspicious emails to abuse authorities. Address book enhancements include the CardDAV plugin, enabling synchronization with CardDAV servers for external contact management. User interface improvements are offered by plugins such as sent_subfolders, which allows saving sent messages to custom subfolders.[33][34][35]
Installation of plugins involves downloading the package and extracting it to the plugins/ directory within the SquirrelMail installation path, followed by activation using the configuration script conf.pl (option 8) or manual editing of config.php to include the plugin name in the $plugins array. After enabling, the system generates or updates config/plugin_hooks.php to register the hook functions, and administrators should test for conflicts by enabling one at a time.[29]
Representative examples of specialized third-party plugins include the List Commands plugin, which parses mailing list headers compliant with RFC 2369 to display options like subscribe, unsubscribe, or access archives directly from message views. For security awareness, plugins in the filters and spam category, such as SpamCop, aid in identifying and reporting phishing attempts by facilitating quick reports of malicious emails.[36][37]
Plugins are inherently limited to PHP implementations due to SquirrelMail's language requirements, restricting integration with non-PHP components without additional wrappers. Following the project's last official release in 2011, while no new official releases have been made, community-driven development and distribution continue via SourceForge mailing lists and the plugins directory, with activity including discussions and updates as recent as November 2025.[29][38]
Customization and Integration
SquirrelMail offers robust configuration tools to tailor its functionality without relying on plugins. The setup.php script serves as the primary web-based interface for initial and ongoing adjustments, enabling administrators to configure themes, domain-specific settings such as organization preferences and server parameters, and plugin activation. This interactive tool guides users through menus for options like folder defaults and general display settings, ensuring a streamlined setup process. For more granular control, the config.php file allows manual editing of advanced parameters, including theme selections, character encodings, and IMAP/SMTP server details, providing flexibility for server-specific tweaks.[18][25] The theme system enhances user interface customization by supporting 39 predefined themes, each defined as a PHP file specifying 17 or more color values for elements like backgrounds, text, and links. Themes can be selected individually by users via display preferences or enforced globally through administrative configuration in setup.php or config.php, allowing organizations to maintain a consistent branding while permitting personal adjustments. Custom themes are easily created by adding new files to the themes directory, promoting adaptability across diverse deployments.[29][39] Integration with external systems is facilitated through core configuration options, supporting LDAP and Active Directory for authentication by leveraging IMAP server backends or dedicated plugins that retrieve user credentials and data from these directories. For shared address books, SquirrelMail accommodates database backends such as MySQL and PostgreSQL, where administrators can create dedicated tables via SQL commands to store contacts centrally, configurable in config.php for multi-user environments. These integrations enable seamless synchronization with enterprise directories and databases, reducing administrative overhead.[40][25][41] API hooks provide a framework for external applications to interact with SquirrelMail, primarily through its plugin architecture that exposes functions for extending core behavior, while embedding is commonly achieved via iframe inclusion in web portals for integrated access. Prior to 2019, SquirrelMail maintained native compatibility with cPanel and WHM, allowing direct integration into hosting control panels for user management and webmail access. Advanced customizations include server-side includes (SSI) in Apache configurations to inject branding elements like logos or headers into pages, and proxy mode, where SquirrelMail acts as an IMAP proxy to cache connections and integrate with load balancers for improved scalability in high-traffic setups.[28][7] To ensure reliability, best practices emphasize minimal customization to preserve security and performance; administrators should prioritize official themes and configurations, apply the built-in HTML filter for input sanitization, and utilize IMAP proxies to reduce server load, avoiding excessive modifications that could introduce vulnerabilities or degrade responsiveness. Regular testing via configtest.php after changes helps verify integrity.[9][7]Internationalization
Language and Locale Support
SquirrelMail offers extensive multilingual capabilities through its internationalization framework, which relies on the gettext system to manage translations in 57 supported languages, including major European languages like German and French, Asian languages such as Japanese and Chinese, and African and Middle Eastern languages like Arabic.[42] These translations are stored in locale-specific directories and utilize .po files for handling strings, ensuring the core codebase remains neutral to facilitate seamless language switching without altering functionality.[42] Users can select their preferred language at login or via configuration settings, with the system defaulting to English (US) if the chosen locale is unavailable.[42] The framework also supports plural forms through ngettext, allowing contextually appropriate translations for varying quantities.[42] Locale handling in SquirrelMail defaults to UTF-8 encoding for modern compatibility, with fallbacks to ISO-8859 standards for legacy systems, and includes dedicated support for right-to-left (RTL) scripts in languages like Arabic (windows-1256 charset) and Hebrew.[42] This is implemented via language descriptors in the$languages array, which specify directionality (e.g., 'rtl') alongside charsets and aliases, enabling proper text rendering and layout adjustments.[42] For message processing, SquirrelMail employs MIME charset detection to identify and decode incoming content, supporting encodings such as quoted-printable, base64, and various charsets including big5, euc-kr, and gb2312 for Asian languages.[43] Conversion tools in the encode directory further assist by transforming legacy encodings to the interface's active charset during replies or forwards, ensuring readability across diverse email sources.[44]
The translation process is community-driven, with contributors submitting updates via the squirrelmail-i18n mailing list and SourceForge project repository, where packages are validated using tools like msgfmt to confirm over 50% string coverage for official support status.[45] Full translations are available for core European, Asian, and select African languages, while partial support exists for dialects and variants, such as Bangladeshi Bengali (bn_BD) versus Indian Bengali (bn_IN), both using UTF-8.[42] Locale packs are distributed separately from the main release since version 1.4.4, with the last major translation updates integrated prior to the 2011 discontinuation of active development; no further updates to translations have occurred as of 2025.[45][46]