Dovecot – a popular open source IMAP and POP3 server for Linux/UNIX-like systems – is as secure as its developers claim it is. A security audit performed by German security outfit Cure 53 revealed only three minor security issues, and they’ve all already been fixed.
The audit, sponsored by Mozilla through its Open Source Support program, was performed by four code and penetration testers over the course of twenty days. They tested version 126.96.36.199 of the email server software suite (released on October 28, 2016).
The source code manual audit part of the testing did not encompass the entirety of the “massive” Dovecot codebase, but concentrated on the POP and IMAP protocol stacks, the process architecture and the login process, the User/Password MySQL and LDAP plugins, the internal dcrypt encryption API wrapper, and the GUID implementation – i.e. the most commonly used and deployed components.
The penetration testing was performed on several running instances of Dovecot.
The testers were pleasantly surprised by their findings, but pointed out that it would be great if, in time, other components were tested as well.
“In the broader web and security community, Dovecot is known for being very much robust and secure,” they noted in the audit report.
“Despite much effort and thoroughly all-encompassing approach, [we] only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.”
“It is noticeable that Dovecot has already received a lot of scrutiny regarding its code security,” they concluded. “For a complex piece of software that Dovecot constitutes, it is an extremely rare result to stand strong with so few problems.”
Neil Cook, Chief Security Architect of the Dovecot project, while announcing the results of the results of the audit, noted that one of the things they take very seriously is the security of their software.
“[It] is a ground-up process which involves every aspect of the software lifecycle, including coding practices, design, static and dynamic analysis, comprehensive QA and a bug-bounty program,” he pointed out.