![[TRex documentation]](../media/logo.gif){kind=logo}
|
|
TRex version 2.1.2User's Guide |
All information sent to or by TRex can be seen by anyone who cares enough to look really hard. There is no encryption done by this program when sending or receiving information, including any passwords sent to the server (more security fetures will be added as this program evolves). Passwords are never sent in the html, so it is very hard to accidentally save a page with a password in it.
The user's TRex password is stored encrypted on the server in the user's pass file This is a very minor security precaution, since if someone can read the pass file, they can surely read any email stored in that directory as well. However, if the user directories are only readable and writable by the user name that the web server runs on, no one but the web server should be able to read the user's pass file, or any of the user's info. The user directories should also not be web accessible.
Each time a user logs in, a session ID is created and is stored in the user's sessID file. A new login will overwrite the old sessID file and the old ID will not work. The sessID file is removed on a logout. Every script that accesses a user's area first checks that a proper user name and session ID is given. This info is passed from script to script through forms. Each time the session ID is checked, a time check is done to see if the session is longer than the $time_til_expire variable specified in Common.pm. If the session has lasted longer than the number of seconds specified, the session ID will not work.
The user_info.db file stores all user inputted information except for user name and password. This includes pop server and password information. This information can be misused and should be protected from prying eyes.
User names and passwords are limited to certain characters but most other stuff is pretty liberal. We're really not sure what sort of input would screw up the server, but who knows. I think that server side includes are not generally run for script generated html, which, if true, should greatly limit the damage users can do.
Protecting from unwanted users: If you do not want anyone to
be able to open an account without permission, there are two options.
What we did is to put the new_acocunt.cgi script in a new directory which
is password protected. The login.cgi script needs to point to this new
directory. Directories can be made password protected by placing
a .htaccess in the directory. New users will need to know the directory
password to open a account. Once a user has the password, they can set
up as many accounts as they wish.
The other option, which is more secure than the first, is to manually
run new_account.cgi for each new user. This gives the site operator total
control over new account.
Documentation Directory : Inside it there's all the documentation
provided with TRex in a few languages (only english and spanish at this time). By the
way, you already have found it if you are reading this !!
You must copy the whole directory to the corresponding one that point where indicated
by the $man_URL variable inside Common.pm file (if $man_URL points to the URL
http://localhost/htdocs/TRex/man, then locate the directory that corresponds to it)
Image Directory : All language dependent images are here. Copy (or move) the whole directory to the corresponding one that points where indicated by the $img_URL variable inside Common.pm file.
Program Directory : Used to hold all perl programs. Any
file ending in cgi or pm need to be placed in here. This directory
needs web access and needs to be executable through the web. Depending
on your setup, you may need to place it under your cgi-bin directory.
You must copy the whole directory to the corresponding one that point where indicated
by the $dir_URL variable inside Common.pm file
Libraries directory : Inside your program directory there is a lib one that holds all the perl modules (pm files) that conform the TRex programming class. Make an 'TRex' directory in your site_perl directory inside the perl distribution (usually inside /usr/lib/perl5 or c:\perl\lib) and copy (or move) to it all the files inside the lib directory.
Mail Users Directory : Used to hold all users data THERE SHOULD BE NO WEB ACCESS TO THESE DIRECTORIES OR ANYONE CAN LOOK AT ANYONE'S MAIL. The only files you need in this directory is folders.start and 999999. Each user gets one directory with same name as the user name under this directory. The structure necessary for a new user is created in the new user process.
See detailed directory structure and file descriptions for more information.
Skins Directory : All images that conform the TRex skin are here. You can create new skins by generating new directories inside this one, with the name of your new skin, and generating 24x24 pixels images to for the skin. Copy (or move) the whole directory to the corresponding one that points where indicated by the $skin_URL variable inside Common.pm file.
o File location
Common.pm makes mention of the user directory and URLs for the
program directory and the image directory. The user directory variable
should be a file path on your system, but the references to the URLs should
be in form of "http://your.domain/directory". Change the two URLs and one
directory to the ones used on your system.
the following variables in Common.pm need to be set for your
environment :
$dir_URL --- set to the url that the perl code is in (program directory in the distribution)
$db_path --- set to the directory path that the user files are in
$img_URL --- set to the url that the images are in (images directory in the distribution)
$man_URL --- set to the manual pages location, that must be web accessed (doc directory in the distribution)
$skin_URL --- set to the skin images location that must be web accessed (skins directory in the distribution)
$skin --- set to the skin to be used (this is one directory name of those in $skin_URL)
$lang --- Language preferred (at this time only English and Spanish are supported)
@reserved_files --- A list of filenames no to be shown when displaying the file list in the upload area. Actually its components are '.' and '..', but if you are using a platform that uses other ones (such as MacOS do it) the you should change it.
o Session time out
The number of seconds until a session expires can be set with the $time_til_expire
variable. I have mine set to a high number, so I never really time out.
o Server time
$time_off_from_NY should be set to the number of seconds behind New
York time that the server running this script is on. Each user can
then set their local time in the user_info section. Currently, this
program can only handle those users in the continental US, who observe
daylight savings time. It would be a fairly trivial matter to adjust
the program to fit more areas (is what we're trying to do !!).
Note for international users: This program was written mainly for people in the continental US. For this reason, users are asked to enter their time zone, but are only given 4 choices. To workaround this, set $time_off_from_NY to 0 and set the user to Eastern Time. Then the user will be on the same time as the server.
Once the user has an account, the user can login in through the login
page. Once in the webmail program, the user should add server and
other information which will be used to receive and send mail. This
info added by clicking on the user_info button at the top of the screen.
If everything is working properly the user should be able to access mail.
The default TRex configuration reads the logging configuration file as indicated by the $logConfigFile scalar variable in each configuration script (default value /etc/TRex/log4perl.conf), which in turns reads the shipped (default) log config file:
log4perl.rootLogger=INFO, ErrorLog, AccessLog, DebugLog log4perl.TRex.Storage.EMail�=DEBUG, ErrorLog, AccessLog, DebugLog log4perl.appender.DebugLog=Log::Dispatch::File log4perl.appender.DebugLog.filename=/var/log/TRex/debug.log log4perl.appender.DebugLog.mode=append log4perl.appender.DebugLog.min_level=debug log4perl.appender.DebugLog.max_level=debug log4perl.appender.DebugLog.layout=PatternLayout log4perl.appender.DebugLog.layout.ConversionPattern=[%d] %L %c - %m (%M)%n log4perl.appender.AccessLog=Log::Dispatch::File log4perl.appender.AccessLog.filename=/var/log/TRex/access.log log4perl.appender.AccessLog.mode=append log4perl.appender.AccessLog.min_level=info log4perl.appender.AccessLog.max_level=notice log4perl.appender.AccessLog.layout=PatternLayout log4perl.appender.AccessLog.layout.ConversionPattern=[%d] %m (%M)%n log4perl.appender.ErrorLog=Log::Dispatch::File log4perl.appender.ErrorLog.filename=/var/log/TRex/error.log log4perl.appender.ErrorLog.mode=append log4perl.appender.ErrorLog.min_level=warning log4perl.appender.ErrorLog.layout=PatternLayout log4perl.appender.ErrorLog.layout.ConversionPattern=[%d] %m (%M)%nThis one divides the logging arena y three different logs :
Of course this default config file, and so the file locations and other
logging features, can be changed to fit into your installation.
Main Screen
Compose Message
Address Book
Folders
Personal Disk Space
Search Screen
This is the main amail screen.
The top tine is the table of contents, or TOC.cgi.
The orange box on the left, with the Go, Move, and Delete buttons is
the function.cgi script. The functions work on the window to the
right, if one or more messages are selected, or the message on the bottom
otherwise.
The large window immediately under the table of contents contains brief
information on all email messages in the folder being shown.
The bottom half of the window is used to read messages.
This is the screen used to compose
a message. Attachments are added using the form on the bottom.
The link to the address book allows users to insert email addresses from
their address book.
This is the address book. The
contacts are shown on the top, the groups on the bottom.
This is the folder information
for the user.
This screen shows the users files that have been uploaded
to the server.
|
|
TRex version 2.1.2User's Guide |
