Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,213

    [EN] Dovecot audit

    Dates: October 2016 - January 2017

    dovecot is a POP and IMAP mailserver; it is used in 70% of IMAP server deployments worldwide. The audit was performed by Cure53.

    The team found the following problems:

    • 3 Low


    The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: "Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations."


  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,213
    Conclusion

    The overall very much positive outcome of this security assignment performed by four
    testers from the Cure53 team can be inferred from the minimal number of discoveries in
    the context of the application’s high-complexity, as well as a very extensive and in-depth
    coverage. As for the latter, a considerable length of twenty days of testing over the two
    months of October and November of 2016 attest to a near-impenetrable security
    disposition of the Dovecot suite.

    Quite clearly, this is a refreshingly pleasant result, which should by no means be takenfor-
    granted, or perceived as the “usual standard” in the mature and complex software
    environments of similar kind. At the same time, it has to be noted though that the general
    Dovecot code base is massive, so the scope was limited to the most commonly used
    and deployed components. In addition, the complexity in certain parts of the code base
    initially made it very hard to uncover and understand the logic of all entanglements. The
    level of complexity was not even across the code base, but rather affected the API are
    most profusely. Conversely, other parts posed no such difficulty to the auditors. Besides
    these minor struggles at the early stage, the audit managed to achieve proper coverage
    of the given scope.

    Finally, as with all software, excellent results do not mean that there is nothing left to do.
    In fact, it is a clear and vocal recommendation of the Cure53 testers’ part to engage in
    security testing against the components of Dovecot that were not in the primary scope of
    this test. This strategy of incorporating more areas through expansion could help ensure
    that the positive impression translates into other areas and persists, even when one
    imagines the possible effects of the less common usage scenarios.

    In sum, there is no doubt that the Dovecot email server software holds strong and
    robust, even when faced with a very stern and in-depth look into its codebase.

    Cure53 would like to thank Gervase Markham and Chris Riley of Mozilla for their
    excellent project coordination, support and assistance, both before and during this
    assignment. Cure53 would further like to extend gratitude to Neil Cook & Timo Sirainen,
    two maintainers of the Dovecot project, for their help during the scoping phase of this
    assessment.

    https://wiki.mozilla.org/images/4/4d/Dovecot-report.pdf

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •