Dovecot is an IMAP mail server, responsible for storing email until it’s requested by another program, such as an email app on your phone. It powers almost 70% of all IMAP servers online, claiming to offer high performance email facilities that are fully standards compliant.
Its homepage also claims the server’s “written with security primarily in mind.” Unusually, this statement held up in a security audit by Cure53, a German security company. Four experts, supported by the Mozilla Open Source Support initiative, spent 20 days trying to poke holes in Dovecot’s security. At the end of the effort, only three potential problems had been discovered. None are particularly serious.
The team praised Dovecot for its approach to security, noting the “refreshingly pleasant” outcome should “by no means be taken-for-granted” as the standard in software security. The results of the investigation are making headlines because it is so rare for complex programs to pass security audits in flying colours.
Because Dovecot is so large, Cure53 had to limit the scope of its study to the most commonly used components. However, it said it had “no doubt” that the software “holds strong and robust,” even when placed under extended penetration attempts by accomplished experts. Dovecot was given a “near-impenetrable” description, an accolade few other programs can lay claim to.
“The overall very much positive outcome of this security assignment performed by four testers from the Cure53 team can be inferred from the minimal number of discoveries in the context of the application’s high-complexity, as well as a very extensive and in-depth coverage,” read the team’s report.
“As for the latter, a considerable length of twenty days of testing over the two months of October and November of 2016 attest to a near-impenetrable security disposition of the Dovecot suite.”
Dovecot’s creators have already patched the vulnerabilities discovered by Cure53. Additional measures beyond those suggested by the team have also been implemented, leading the study authors to further commend Dovecot for its response to security issues.
Dovecot’s proactive approach to security is evident from its own website pages. Its main author, Timo Sirainen, runs a bug bounty scheme for people who do find security holes. Successful applicants receive €1,000 from Sirainen’s own wallet.
Cure53’s investigation upholds Dovecot’s reputation as a robust email server. As it’s used by so many providers, any significant compromise of its security systems could put the data of millions of people at risk.
As ever in cybersecurity, Dovecot’s success in this audit doesn’t mean it’ll stay secure forever though. Cure53 warned the results “do not mean that there is nothing left to do,” suggesting the remaining components of the server be probed in the future and the team’s suggestions be implemented in Dovecot’s codebase.
