Re: Dovecot pentest report
Niels Dettenbach wrote on 1/25/2017 4:43 AM: Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info- cyrus: As a security conscious server admin, I am curious whether similar audits been performed against Cyrus or are future audits on the road map? Hi Blake, from my view (i'm not part of the cyrus team, but long time user) - the (much younger then Cyrus). The Dovecot project seems much more "marketing" / "publissity driven" approach to make their software known in the public and it seems they "know" how to optimize their awareness especially within the press. They was the first email infrastructure open source project in my mind which used press and marketing strategies very consequently. If this leads to a better software - who knows's? By "tradition", cyrus did not does a lot of marketing. my view is: they "just delivered really best quality software" which stand's for it's own. A "strategy" which was typical for most of the "real" quasi-standard open source software projects within the internet. How far such a "pentest" ist really a way to significantly proove or rise the "security" of such a open and still well known and widely professionally used / adapted software like cyrus depends hardly from facts behind. There are large companies which use cyrus for millions of users with geeks adapting the cyrus code for their own needs - and a part of this is coming back into the project. Dovecot - for me - seem's more to target "end users" or "smaller" companies which look for a "integrated, easy to install" product without much interest into the sources. Many software builders used such "tests" in the past to "push" the publissity of their product, while the real security questions wasnt answered by that test. afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if it help's someone and the costs for such a tests are covered by "someone" - why not? However: Afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if there are new tests available which really could bring significant higher trust into the code / project, it help's someone and the costs for such a tests are covered by "someone" - why not? many thanks and best regards, niels. Thanks for your thoughts Niels. While some might see this as advertising on the part of Dovecot (and why shouldn't they advertise favorable news?), I simply see it as peer review to provide a better product. I am not planning on switching away from Cyrus because of the success of another project, but I believe that all projects have room for improvement and that Cyrus IMAP users probably share the desire for Cyrus to be as successful as possible. Sometimes review by an outside source can be illuminating; If resources are available from those like Mozilla to perform reviews, I think the Cyrus IMAP project should try to take advantage of these opportunities. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Dovecot pentest report
Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info- cyrus: > As a security conscious server admin, I am curious whether similar > audits been performed against Cyrus or are future audits on the road map? Hi Blake, from my view (i'm not part of the cyrus team, but long time user) - the (much younger then Cyrus). The Dovecot project seems much more "marketing" / "publissity driven" approach to make their software known in the public and it seems they "know" how to optimize their awareness especially within the press. They was the first email infrastructure open source project in my mind which used press and marketing strategies very consequently. If this leads to a better software - who knows's? By "tradition", cyrus did not does a lot of marketing. my view is: they "just delivered really best quality software" which stand's for it's own. A "strategy" which was typical for most of the "real" quasi-standard open source software projects within the internet. How far such a "pentest" ist really a way to significantly proove or rise the "security" of such a open and still well known and widely professionally used / adapted software like cyrus depends hardly from facts behind. There are large companies which use cyrus for millions of users with geeks adapting the cyrus code for their own needs - and a part of this is coming back into the project. Dovecot - for me - seem's more to target "end users" or "smaller" companies which look for a "integrated, easy to install" product without much interest into the sources. Many software builders used such "tests" in the past to "push" the publissity of their product, while the real security questions wasnt answered by that test. afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if it help's someone and the costs for such a tests are covered by "someone" - why not? However: Afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if there are new tests available which really could bring significant higher trust into the code / project, it help's someone and the costs for such a tests are covered by "someone" - why not? many thanks and best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Dovecot pentest report
I saw that Dovecot was recently audited by a security team known as Cure53, funded by Mozilla. The team's conclusion was favorable, finding few minor errors within the core components of Dovecot (lesser used components were not included in the audit). https://wiki.mozilla.org/images/4/4d/Dovecot-report.pdf As a security conscious server admin, I am curious whether similar audits been performed against Cyrus or are future audits on the road map? --Blake Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus