previously on this list Артур Истомин contributed: > > > I think pop3 is dead but recently there was a mail in tech@ > > > stating Sunil Nimmagadda develops pop3 daemon closed to > > > OpenBSD standards. > > > > That's a good point. I don't like leaving mails on the server for more than > > a > > day or so, but I don't see why I can't emulate this behavior on IMAP. I had > > originally chosen POP3 because OpenBSD came with it batteries-included. > > > > There's still some research I need to do on my own, but it does look like > > dovecot fits the OpenBSD mentality of security first in development. > > dovecot has more vulns. than other open source imap implementations all > together. > > Dovecot: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot (31) > Cyrus IMAP https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Cyrus-imap > (3) > etc..
I don't think that paints an accurate picture in this case. You will see more for cyrus listed on osvdb.org than mitre many of which from a quick look are more worrying than dovecots. I believe Dovecot is used by more people and so is more likely to have bugs found and still offers a $1000 for any root exploit. Perhaps you know both better than me as I know Dovecot quite well but not Cyrus but from a quick look at the documentation and website. Cyrus seems to have far less pro-active security features that some of the vulnerabilities simply bypass. Good to know it has competition though, I've only ever looked at Cyrus-sasl. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________