back to article Dovecot mailserver graded 'nearly impenetrable'

POP and IMAP mailserver suite Dovecot has passed an extensive audit by hackers, who were able to find only three minor vulnerabilities. Dovecot is especially popular with service providers, so the news that four Cure53 researchers have given it a "thoroughly all-encompassing" audit and found the software to have "excellent …

  1. bobajob12

    Props....now what about SMTP?

    Kudos to the developers of Dovecot.

    I wonder how the current breed of SMTP servers would hold up? Postfix, qmail and friends were built to overcome the woeful reputation of sendmail, but even they are 20+ years old now and the attacks are different from what we saw in the 1990s. How well do they stack up?

    1. DougS Silver badge

      Re: Props....now what about SMTP?

      When was the last time you heard about a sendmail exploit? If there are still exploits being found it, I guess it isn't news anymore because I haven't heard of any for many years.

      1. Anonymous Coward
        Anonymous Coward

        Re: Props....now what about SMTP?

        When was the last time you heard about a sendmail exploit? If there are still exploits being found it, I guess it isn't news anymore because I haven't heard of any for many years.

        I could be snide and suggest that that is because sendmail is less used than postfix et al :), but yes, in general SMTP breaches tend to come from misconfiguration and bad passwords rather than code problems. I've ran a test site for a bit and I'd say about 85% of fail2ban alerts came from attempts to abuse the SMTP daemon as a relay, either by just trying it or by attempting to authenticate to the service.

  2. Ian Michael Gumby Silver badge
    Thumb Up

    Cool!

    Total Thumbs up.

    Now lets see someone come up with a better GUI and front end for an open source mail/calendar/etc app to replace Exchange and other less secure systems.

    If only Hillary had a competent tech who set up dovecot and postfix instead of an unsecured exchange server! :-P

    (No, I still wouldn't vote for her. She's still as crooked as they come. )

    1. Lord Elpuss Silver badge

      Re: Cool!

      Sorry, you've been suckling at the Trump Teat of Misinformation(TM) for too long. Like or hate Hillary for her politics by all means, but she's not crooked. In fact she's the second most honest frontline politician in the last 10 years (source: Politifact).

      http://m.motherjones.com/kevin-drum/2016/08/hillary-clinton-one-americas-most-honest-politicians

      1. P. Lee Silver badge

        Re: Cool!

        >she's the second most honest frontline politician in the last 10 years

        There was no hint of any love for Trump either and well, you haven't set the bar very high...

        1. Lord Elpuss Silver badge

          @P. Lee Re: Cool!

          "There was no hint of any love for Trump either and well, you haven't set the bar very high..."

          Given that Trump has been the main instigator of the whole crooked Hillary movement, he's decidedly not deserving of any love. Plus he's named after a fart.

    2. foo_bar_baz

      Re: Cool!

      As it turns out, Dovecot is developed by original author's company, which in turn associated with (owned by?) Open-Xchange.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cool!

        As it turns out, Dovecot is developed by original author's company, which in turn associated with (owned by?) Open-Xchange.

        That that shows you can do one thing well and still suck at doing something else.. There are quite a few systems out there, but Open-XChange is IMHO not exactly the best :(

  3. John Smith 19 Gold badge
    Unhappy

    Of course if this took off MS would fiddle with their API

    MS Know calendar and email are two key ways to bind a company to them.

    They will fight tooth and nail to stop it growing market share. Who cares if it's better or more secure, it's not Microsoft and (by their definition) "bad".

  4. Your alien overlord - fear me

    The program is secure but if the admins still fall for social engineering/phishing emails... Oops, there goes the security.

    It's that pesky human element again :-)

    1. Anonymous Coward
      Anonymous Coward

      Came to post the same thing.

      Admin credentials left in a open file share on the server, y'know, just in case someone forgets it.

  5. Spudley

    Dovecot mailserver graded 'nearly impenetrable'

    So I read the headline and thought "Is that from a security perspective, or just a description of its user interface and documentation?"

    1. Alister Silver badge

      Was going to post the same thing... It's not the most straightforward piece of software to configure...

      1. Korev Silver badge

        And as we've seen recently with MongoDB and Elasticsearch, if people don't know how to configure it properly, then it's wide open to attack.

  6. Anonymous Coward Silver badge
    Angel

    The obvious

    The server software may be secure, but if users choose piss-poor passwords then that means nothing.

    (as far as account access goes; privilege escalation is a different kettle of fish)

  7. Anonymous Coward
    Anonymous Coward

    Lack of understanding basic english

    Hailing something as "nearly impenetrable" has 2 major problems.

    Firstly labelling something in this way you paint a huge target for people to prove you wrong and attract all the wrong kinda attention which you never want from a security point of view.

    Secondly the phrase "nearly impenetrable" is complete bollocks, something is either impenetrable or it isn't. There's no nearly, almost or 90 %. It's like saying that as you have lived a reasonable period of time that you are almost immortal.

    Also I am sure that others will have had the same thought about a ship named "Titanic" which was hailed to be perfect and unsinkable. For any that don't know the history the said ship on it's maiden voyage fell flat on it's arse and to this day remains on it's arse at the bottom of the sea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lack of understanding basic english

      There's nothing at all wrong with the phrase "nearly impenetrable". It's not saying it's impenetrable. It's saying it's close to being so. Far from being "complete bollocks", it's entirely self-explanatory what it means, and is easily understood.

      1. David Roberts Silver badge
        Joke

        Re: Lack of understanding basic english

        Neraly impenetrable?

        Reminds me of a girl I knew who was almost a virgin.

        One of the most unique things I've ever come across {cough}.

        .

        .

        .

        .

        Joking aside there is still contention over use of modifiers with absolute terms.

        "One of the nine most unique things" always jars.

        However "nearly dead from exhaustion" is common useage.

        Funny old language, English.

  8. nuxnix

    Easy to install, but email is hard nowadays

    Its easy to install. Download Server.app from the Mac OS App Store/ Doyble Click the installer.

    Installing it is just the start of a wonderful journey.

  9. nijam

    > "It is a clear and vocal recommendation of the Cure53 testers’ part to engage in security testing against the components of Dovecot that were not in the primary scope of this test,"

    I have no idea how to decode that.

  10. Walter Bishop Silver badge
    Terminator

    Format String Protection can be bypassed

    How would dovecot deal with Mr. null@noop.com

  11. David Roberts Silver badge
    Windows

    Mr. Picky says

    Mozilla Mozilla - so good they named it twice....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019