This article is more than 1 year old

Dovecot mailserver graded 'nearly impenetrable'

Security audit of popular-with-service-providers package produces surprised smiles

POP and IMAP mailserver suite Dovecot has passed an extensive audit by hackers, who were able to find only three minor vulnerabilities.

Dovecot is especially popular with service providers, so the news that four Cure53 researchers have given it a "thoroughly all-encompassing" audit and found the software to have "excellent security-standing" is welcome news.

The Mozilla Mozilla Open Source Support-backed audit performed by Berlin-based Cure53 lasted 20 days and produced a report [PDF] dubbing the server "near impenetrable".

The team says the small number of vulnerabilities is impressive considering Dovecot's highly complex codebase.

"As for the latter, a considerable length of 20 days of testing over the two months of October and November of 2016 attest to a near-impenetrable security disposition of the Dovecot suite," the auditors say in their report.

"Quite clearly, this is a refreshingly pleasant result, which should by no means be taken-for-granted, or perceived as the 'usual standard' in the mature and complex software environments of similar kind."

Their audit was limited to the most commonly used and deployed components due to the "massive" size of the Dovecot codebase. Complexity of some code components made it "very hard" to understand the logic of all entanglements, the team says, adding that proper coverage of the given scope was achieved.

"It is a clear and vocal recommendation of the Cure53 testers’ part to engage in security testing against the components of Dovecot that were not in the primary scope of this test," the team says. ®

More about

More about

More about


Send us news

Other stories you might like