Webmail is no more insecure when users log in thorugh the web than is email for most users who log in insecurely throguh POP or IMAP, and there's no way to stop them from doing that.
That said...
I've always supported DA's use of separate directory structures for secure and insecure site pages for just this reason.
Unfortunately the separation is not available by default at the "root" html level of /var/www/html, which is where the squirrelmail and webmail aliases need to reside to be available to all users.
That can be fixed, however, with a quick change to the main httpd.conf file.
Your users who own their own secure cert will be able to have their customers log in to:
https://www.example.com/squirrelmail/
or
https://www.example.com/webmail/
and their certificate will work to secure the session.
But what about your users who don't have their own cert?
They'll end up using the server cert; the same one that's used for logins.
Which will give them browser name mismatch errors and/or browser untrusted cert errors.
If you're willing to deal with the support issues that brings, go for it
.
Jeff
