Howdy all,
I thought some of you might find this interesting. Mozilla Foundation has been sponsoring professional security audits of important Open Source infrastructure software. One of them projects included is Dovecot. That audit was just completed, and it makes for an interesting read.
Here's the summary link: https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
The highlight:
"The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: "Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.""
I'm not so surprised; I've spent some time poking around in Dovecot, and it's always been one of my favorite projects that we rely on in Virtualmin. Very few pieces of software that we push so heavily have proven to be so reliable and trouble free over the years; we almost never get support queries or bug reports related to Dovecot (we get a lot of mail related reports, but almost always about other parts of the stack, ClamAV, in particular). So, congratulations to the Dovecot team for being awesome for all these years. Not only it is among the fastest and most capable IMAP/POP servers, it's also proven to be quite secure and really stable over many years.
The full audit: https://wiki.mozilla.org/images/4/4d/Dovecot-report.pdf
There have been a few other audits from this effort that might be useful to Virtualmin users, including PHPMyAdmin (which also fared quite well), PCRE (which provides the regular expression engine for many, many, things, including PHP), and libjpeg (which lots of image libraries use for processing jpg images).
Cheers,
Joe
Thank you for sharing. I never had any problem with Dovecot either. It seems very well build. It would be awesome if more companies made audits on open source software.