[dovecot] Re: bincimap
Timo Sirainen
tss at iki.fi
Tue Feb 4 15:36:11 EET 2003
[oh well, let's cc the author as well]
On Tue, 2003-02-04 at 13:43, Farkas Levente wrote:
> hi,
> what do you tyhink about it? especially the faq comment about dovecot?
> http://www.bincimap.andreas.hanssen.name/
That's interesting. Haven't noticed it before. Author's name is actually
familiar from imap mailing list :) Initial impressions:
It uses C++, so why is it still using sprintf() in a few places, just
waiting to be exploited? That alone actually makes me question his "C++
security experience" (well, that's not C++ exactly..). The ones in COPY
and APPEND handling actually can cause buffer overflows if host has long
enough hostname.
Says it's a replacement for Courier IMAP, and the design looks that way
too. Currently at least maildir-specific (there was some empty mbox dir
though) and without any kind of smart indexing, meaning it's quite
likely close to Courier's performance.
I don't really get his comments about TCP wrappers. Meaning that I do
network I/O instead of letting inetd handle it? That's only minimal part
of the code and I'd say it has near-zero possibility for any security
related problems, or any kind of all really. Well, of course doing it in
inetd allows /etc/hosts.deny and such.
I guess his server runs as root until user is authenticated. That
requires that all IMAP commands check properly that they're not run
before authentication, that everything that is run before authentication
must have perfect security or attacker can get roots. SSL communication
is likely also done as root.
That's very different from Dovecot's design, where login process has
been designed so that even in case of a security flaw (eg. SSL library),
there's no way for the attacker to do _anything_ before being properly
authenticated (chrooted, non-privileged user, only access to communicate
with auth process via pipe but no way to get other users' passwords or
anything). Post-login SSL communication is also done by the same login
process, so that exploiting SSL library bugs even then won't do any
good.
It wouldn't be too difficult to allow Dovecot to be run from inetd, but
I don't think there's much point. It's certainly less secure since it
initially requires roots.
Hmm. What else .. I would have expected C++ code to be more .. prettier.
It's 10k lines count may be partially because of C++ and using lex
instead of writing own parsers, but I think it's mostly because it
doesn't really do much. Plaintext authentication + maildir + IMAP4rev1
is pretty much what it does now, without anything special in design or
implementation (except for being C++). Very much like Courier or UW
imapd.
More information about the dovecot
mailing list