popa3d removed from base - what do people recommend?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

popa3d removed from base - what do people recommend?

John Smith
I'm a fan of simple setups and try to stick with the base programs if
possible. I've been using an SSL relayd wrapper around popa3d for a simple and
base-supported mail setup with opensmtpd.

What would people recommend for a simple replacement for SSL pop3? I feel like
the general consensus will be "switch to popa3d in ports," but I'll take this
as an opportunity to migrate to something better if there's a good
alternative.

Thanks in advance!

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Peter Hessler
dovecot is pretty much the only sane option for pop3 and imap servers
these days.

On 2014 Jan 04 (Sat) at 21:04:27 -0500 (-0500), John Smith wrote:
:I'm a fan of simple setups and try to stick with the base programs if
:possible. I've been using an SSL relayd wrapper around popa3d for a simple and
:base-supported mail setup with opensmtpd.
:
:What would people recommend for a simple replacement for SSL pop3? I feel like
:the general consensus will be "switch to popa3d in ports," but I'll take this
:as an opportunity to migrate to something better if there's a good
:alternative.
:
:Thanks in advance!
:

--
I have made this letter longer than usual
because I lack the time to make it shorter.
                -- Blaise Pascal

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Артур Истомин
On Sun, Jan 05, 2014 at 05:24:35PM +0100, Peter Hessler wrote:

> dovecot is pretty much the only sane option for pop3 and imap servers
> these days.
>
> On 2014 Jan 04 (Sat) at 21:04:27 -0500 (-0500), John Smith wrote:
> :I'm a fan of simple setups and try to stick with the base programs if
> :possible. I've been using an SSL relayd wrapper around popa3d for a simple and
> :base-supported mail setup with opensmtpd.
> :
> :What would people recommend for a simple replacement for SSL pop3? I feel like
> :the general consensus will be "switch to popa3d in ports," but I'll take this
> :as an opportunity to migrate to something better if there's a good
> :alternative.
> :
> :Thanks in advance!
> :

I don't think so.
See:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot (31 CVE)
vs.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=courier-imap (3 CVE)

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Craig Skinner-3
In reply to this post by John Smith
On 2014-01-04 Sat 21:04 PM |, John Smith wrote:
>
> What would people recommend for a simple replacement for SSL pop3?

I use dovecot for IMAP only (no POP).

It can do SSL & authenticate against the /etc password arrangement.

Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Jiri B-2
In reply to this post by John Smith
On Sat, Jan 04, 2014 at 09:04:27PM -0500, John Smith wrote:

> I'm a fan of simple setups and try to stick with the base programs if
> possible. I've been using an SSL relayd wrapper around popa3d for a simple and
> base-supported mail setup with opensmtpd.
>
> What would people recommend for a simple replacement for SSL pop3? I feel like
> the general consensus will be "switch to popa3d in ports," but I'll take this
> as an opportunity to migrate to something better if there's a good
> alternative.
>
> Thanks in advance!

I think pop3 is dead but recently there was a mail in tech@
stating Sunil Nimmagadda develops pop3 daemon closed to
OpenBSD standards.

http://marc.info/?l=openbsd-tech&m=137227187806151&w=2
http://marc.info/?l=openbsd-tech&m=137348456028504&w=2

jirib

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

John Smith
> I think pop3 is dead but recently there was a mail in tech@
> stating Sunil Nimmagadda develops pop3 daemon closed to
> OpenBSD standards.

That's a good point. I don't like leaving mails on the server for more than a
day or so, but I don't see why I can't emulate this behavior on IMAP. I had
originally chosen POP3 because OpenBSD came with it batteries-included.

There's still some research I need to do on my own, but it does look like
dovecot fits the OpenBSD mentality of security first in development.

Thanks everyone!

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Stuart Henderson
In reply to this post by John Smith
On 2014-01-05, John Smith <[hidden email]> wrote:
> What would people recommend for a simple replacement for SSL pop3? I feel like
> the general consensus will be "switch to popa3d in ports,"

popa3d is not currently in ports.

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Артур Истомин
In reply to this post by John Smith
On Mon, Jan 06, 2014 at 01:10:09PM -0500, John Smith wrote:

> > I think pop3 is dead but recently there was a mail in tech@
> > stating Sunil Nimmagadda develops pop3 daemon closed to
> > OpenBSD standards.
>
> That's a good point. I don't like leaving mails on the server for more than a
> day or so, but I don't see why I can't emulate this behavior on IMAP. I had
> originally chosen POP3 because OpenBSD came with it batteries-included.
>
> There's still some research I need to do on my own, but it does look like
> dovecot fits the OpenBSD mentality of security first in development.

dovecot has more vulns. than other open source imap implementations all together.

Dovecot: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot (31)
Cyrus IMAP https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Cyrus-imap
(3)
etc..

Reply | Threaded
Open this post in threaded view
|

Re: popa3d removed from base - what do people recommend?

Kevin Chadwick-2
previously on this list Артур Истомин contributed:

> > > I think pop3 is dead but recently there was a mail in tech@
> > > stating Sunil Nimmagadda develops pop3 daemon closed to
> > > OpenBSD standards.  
> >
> > That's a good point. I don't like leaving mails on the server for more than a
> > day or so, but I don't see why I can't emulate this behavior on IMAP. I had
> > originally chosen POP3 because OpenBSD came with it batteries-included.
> >
> > There's still some research I need to do on my own, but it does look like
> > dovecot fits the OpenBSD mentality of security first in development.  
>
> dovecot has more vulns. than other open source imap implementations all together.
>
> Dovecot: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dovecot (31)
> Cyrus IMAP https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Cyrus-imap
> (3)
> etc..

I don't think that paints an accurate picture in this case. You will
see more for cyrus listed on osvdb.org than mitre many of which from a
quick look are more worrying than dovecots.

I believe Dovecot is used by more people and so is more likely to have
bugs found and still offers a $1000 for any root exploit.

Perhaps you know both better than me as I know Dovecot quite well but
not Cyrus but from a quick look at the documentation and website. Cyrus
seems to have far less pro-active security features that some of the
vulnerabilities simply bypass.

Good to know it has competition though, I've only ever looked at
Cyrus-sasl.

--
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________