Dovecot pentest report

Niels Dettenbach nd at syndicat.com
Wed Jan 25 05:43:32 EST 2017 

Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info-
cyrus:
> As a security conscious server admin, I am curious whether similar
> audits been performed against Cyrus or are future audits on the road map?

Hi Blake,

from my view  (i'm not part of the cyrus team, but long time user) - the (much 
younger then Cyrus). The Dovecot project seems much more "marketing" / 
"publissity driven" approach to make their software known in the public and it 
seems they "know" how to optimize their awareness  especially within the 
press.  

They was the first email infrastructure open source project in my mind which 
used press and marketing strategies very consequently. If this leads to a 
better software - who knows's?

By "tradition",  cyrus did not does a lot of marketing. my view is: they "just 
delivered really best quality software" which stand's for it's own. A 
"strategy" which was typical for most of the "real" quasi-standard open source 
software projects within the internet.

How far such a "pentest" ist really a way to significantly proove or rise the 
"security" of such a open and still well known and widely professionally used 
/ adapted software like cyrus depends hardly from facts behind. There are 
large companies which use cyrus for millions of users with geeks adapting the 
cyrus code for their own needs - and a part of this is coming back into the 
project. Dovecot - for me - seem's more to target "end users" or "smaller" 
companies which look for a "integrated, easy to install" product without much 
interest into the sources.

Many software builders used such "tests" in the past to "push" the publissity 
of their product, while the real security questions wasnt answered by  that 
test.

afaik, cyrus was still often part of code or pentest based security analysis 
from many different parties in the past >20 years - but if it help's someone 
and the costs for such a tests are covered by "someone" - why not?

However: 
Afaik, cyrus was still often part of code or pentest based security analysis 
from many different parties in the past >20 years - but if there are new tests 
available which really could bring significant higher trust into the code / 
project, it help's someone and the costs for such a tests are covered by 
"someone" - why not?

many thanks and best regards,


niels.
-- 
 ---
 Niels Dettenbach
 Syndicat IT & Internet
 http://www.syndicat.com
 PGP: https://syndicat.com/pub_key.asc
 ---
 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20170125/1f74b5f9/attachment.sig>

More information about the Info-cyrus mailing list