Dovecot pentest report

Blake Hudson blake at ispn.net
Thu Jan 26 09:24:11 EST 2017


Niels Dettenbach wrote on 1/25/2017 4:43 AM:
> Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info-
> cyrus:
>> As a security conscious server admin, I am curious whether similar
>> audits been performed against Cyrus or are future audits on the road map?
> Hi Blake,
>
> from my view  (i'm not part of the cyrus team, but long time user) - the (much
> younger then Cyrus). The Dovecot project seems much more "marketing" /
> "publissity driven" approach to make their software known in the public and it
> seems they "know" how to optimize their awareness  especially within the
> press.
>
> They was the first email infrastructure open source project in my mind which
> used press and marketing strategies very consequently. If this leads to a
> better software - who knows's?
>
> By "tradition",  cyrus did not does a lot of marketing. my view is: they "just
> delivered really best quality software" which stand's for it's own. A
> "strategy" which was typical for most of the "real" quasi-standard open source
> software projects within the internet.
>
> How far such a "pentest" ist really a way to significantly proove or rise the
> "security" of such a open and still well known and widely professionally used
> / adapted software like cyrus depends hardly from facts behind. There are
> large companies which use cyrus for millions of users with geeks adapting the
> cyrus code for their own needs - and a part of this is coming back into the
> project. Dovecot - for me - seem's more to target "end users" or "smaller"
> companies which look for a "integrated, easy to install" product without much
> interest into the sources.
>
> Many software builders used such "tests" in the past to "push" the publissity
> of their product, while the real security questions wasnt answered by  that
> test.
>
> afaik, cyrus was still often part of code or pentest based security analysis
> from many different parties in the past >20 years - but if it help's someone
> and the costs for such a tests are covered by "someone" - why not?
>
> However:
> Afaik, cyrus was still often part of code or pentest based security analysis
> from many different parties in the past >20 years - but if there are new tests
> available which really could bring significant higher trust into the code /
> project, it help's someone and the costs for such a tests are covered by
> "someone" - why not?
>
> many thanks and best regards,
>
>
> niels.


Thanks for your thoughts Niels. While some might see this as advertising 
on the part of Dovecot (and why shouldn't they advertise favorable 
news?), I simply see it as peer review to provide a better product. I am 
not planning on switching away from Cyrus because of the success of 
another project, but I believe that all projects have room for 
improvement and that Cyrus IMAP users probably share the desire for 
Cyrus to be as successful as possible. Sometimes review by an outside 
source can be illuminating; If resources are available from those like 
Mozilla to perform reviews, I think the Cyrus IMAP project should try to 
take advantage of these opportunities.


More information about the Info-cyrus mailing list