SquirrelMail
Open-source webmail application written in PHP
From Wikipedia, the free encyclopedia
SquirrelMail is an open-source webmail application written in PHP. It provides a web-based interface for accessing email via the IMAP protocol and sends messages through SMTP. The project also includes a separate IMAP proxy server written in C. Both components are released under the GNU General Public License version 2 or later.[1]
| SquirrelMail | |
|---|---|
| |
 Screenshot of the SquirrelMail message view | |
| Original authors | Nathan and Luke Ehresman[1] |
| Developer | The SquirrelMail Project Team |
| Initial release | 1999 |
| Stable release | 1.4.22 (12 July 2011) [±] |
| Written in | PHP, C[1] |
| Platform | Web platform |
| Available in | 56 languages[2] |
List of languages Arabic, Bahasa Indonesia, Bahasa Melayu, Bangladeshi Bengali, Basque, Brazilian Portuguese, British, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, Estonian, Faroese, Finnish, French, Frisian, Georgian, German, Greek, Hebrew, Hungarian, Icelandic, Indian Bengali, Italian, Japanese, Khmer, Korean, Latvian, Lithuanian, Macedonian, Norwegian Bokmål, Norwegian Nynorsk, Persian, Polish, Portuguese, Romanian, Russian, Russian Ukrainian, Serbian, Sinhala, Slovak, Slovenian, Spanish, Swedish, Tagalog, Tamil, Thai, Turkish, Uighur, Ukrainian, Vietnamese, Welsh | |
| Type | Webmail |
| License | GPL-2.0-or-later |
| Website | www |
| Repository | https://sourceforge.net/projects/squirrelmail/ |
The last numbered stable release was version 1.4.22 in July 2011.[3] Since then, the project has continued through SVN snapshots; the current stable branch (1.4.23-svn) is tested with PHP up to version 8.1. SquirrelMail was once widely deployed and included in the repositories of major Linux distributions,[4][5] but its use has declined since the mid-2010s as hosting providers replaced it with Roundcube and other alternatives.
History
Nathan and Luke Ehresman started SquirrelMail in 1999.[1] The application runs on a LAMP stack or any other platform supporting PHP, and requires access to an IMAP server for mail storage and an SMTP server for sending.[6]
The webmail interface renders HTML 4.0, which made it compatible with a wide range of browsers at the time of its initial release.[6] A plugin architecture allows additional features to be added to the core application, and over 200 plugins were available from the project website.[7]
Apple shipped SquirrelMail as the default webmail application in Mac OS X Server.[8] The software was included in repositories for Fedora,[9] openSUSE,[10] Debian,[11] CentOS,[12] Ubuntu, Gentoo,[13] and FreeBSD.[14]
IMAP proxy
The IMAP proxy component was created in 2002 by Dave McMurtrie at the University of Pittsburgh, where it was called "up-imapproxy".[15] The SquirrelMail team adopted it in 2010. Written in C, the proxy maintains persistent connections to the IMAP server, avoiding the overhead of a new IMAP login on each HTTP request. It compiles on most Unix variants but does not run natively on Microsoft Windows outside of Cygwin or a similar environment.
Decline
The last numbered release, version 1.4.22, was published on 12 July 2011.[3] Subsequent maintenance has been distributed only as SVN snapshots. cPanel removed SquirrelMail in version 78 (2018), replacing it with Roundcube as its default webmail client. Other hosting control panels followed: DirectAdmin disabled SquirrelMail by default for new installations.[16] The SourceForge project page still receives several hundred downloads per week as of 2026.[17]
Security
2007 supply-chain compromise
In December 2007, an attacker gained access to the SquirrelMail file release system on SourceForge through a compromised developer account and replaced the version 1.4.11 and 1.4.12 tarballs with modified copies containing a backdoor allowing remote code execution.[18] Users noticed that the published MD5 checksums did not match the downloaded files. The project initially downplayed the issue, but security researcher Uwe Schindler demonstrated that the modifications opened a full remote code execution path.[18][19] The project released version 1.4.13 as a clean replacement. The source code repository itself was not affected. The incident was assigned CVE-CVE-2007-6348.[20]
Other vulnerabilities
In 2017, a remote code execution vulnerability (CVE-CVE-2017-7692) was disclosed in SquirrelMail's handling of the Sendmail command-line interface. An authenticated user could inject commands through the Return-Path header by using a tab character, allowing arbitrary command execution on the server.[21] In 2025, a cross-site scripting vulnerability (CVE-CVE-2025-30090) was found in the MIME handling code, affecting versions through 1.4.23-svn.[22]
Plugins
Internationalization
SquirrelMail has been translated into over 50 languages including Arabic, Chinese, French, German, and Spanish.[2]
Deployments
In March 2009, the Prime Minister's Office of India replaced Outlook Express with SquirrelMail after a virus caused a three-month email outage.[23][24] During the outage, messages from citizens went unanswered, and the PMO admitted in a hearing of the Central Information Commission that many emails had not been received.[24]
In 2004, HEC Montréal deployed SquirrelMail as part of its webmail infrastructure, supporting thousands of users.[25]
See also
