Horde Webmail is a mature but older stack. Security relies heavily on PHP/session hardening, strict backend trust boundaries, and conservative access control around the web UI.
¶ 1) Harden PHP sessions and cookie policy
- Use secure cookies and disable URL-based session identifiers.
- Move
session.save_path to a webserver-only directory, not shared /tmp.
- Increase entropy source/length for session generation.
- Enable strict CSRF protections in web stack and keep session lifetime short.
- Use local sockets/private interfaces for DB where possible.
- Keep IMAP/SMTP and DB services on private network paths.
- Enforce TLS for user-facing and backend transport.
- Store backend credentials in restricted config only.
¶ 3) Web and application hardening
- Enforce HTTPS + HSTS on webmail hostname.
- Restrict admin/config interfaces by IP/VPN.
- Disable unused modules/apps in the Horde bundle.
- Keep file permissions strict for config and temp directories.
¶ 4) Patch and release management
- Track Horde release and security announcements.
- Patch whole bundle consistently (not partial component drift).
- Run regression tests for login, compose, attachment upload, and calendar/contact access after updates.
¶ Verification commands
php -i | grep -E "session.save_path|session.entropy_length|session.entropy_file"
grep -R "cookie\|session\|auth\|imap\|smtp" /etc/horde /var/www/horde 2>/dev/null | head
sudo ss -tulpn | grep -E ':443|:993|:465|:587'
- Horde Webmail installation docs: https://www.horde.org/apps/webmail/docs/INSTALL
- Horde wiki security measures: https://wiki.horde.org/SecurityMeasures
- Horde announce lists (security releases): https://lists.horde.org/archives/announce/