[Dovecot] Webmail Recommendation
mouss
mlist.only at free.fr
Fri Jan 11 13:46:29 EET 2008
Stephen Warren wrote:
> Peter Eriksson wrote:
>> All the suggested ones have just one big FAT problem - they are all
>> written in that security bug ridden language that the hackers just
>> love to exploit - PHP. Running a web application available to the
>> whole wide internet written in PHP is just asking for someone to break
>> into your
>> systems.
>
> This can be pretty easily solved - configure your web server to require
> HTTP authentication for the location where the PHP script is, configure
> the web server to use the same authentication source as webmail, and
> hack webmail to pick up the authentication from the web server instead
> of presenting a login prompt.
>
you also need to enforce strong passwords, because if an attacker can
guess passwords, authentication doesn't help much.
In addition, this doesn't solve the problem for hosters, when users
cannot be trusted.
Another measure is to enforce https.
That said, it is possible to implement secure applications in php and it
is possible to implement unsecure applications in other languages. The
fact that php is more widely used than say ruby certainly reduces the
costs for attackers, but this doesn't mean that php is unsecure by
itself. Also, if you want a "fancy" UI, you'll need javascript and this
will bring its problems whatever primary language you use.
> Pretty easy with apache and LDAP-based users, and squirrelmail at least...
>
> But, if you don't do this, I totally agree.
>
More information about the dovecot
mailing list