> >Has anyone got any suggestions as to which POP3 server software to
> >use? I keep hearing rumours that some of the popular ones have got
> >security holes but am not sure which rumours to believe; basically I
>
> In the last two years, the UW pop/imap package got hit twice - but
> fixes were promptly released. This is the code I'm using (partly
> because I don't need to go to one source for POP and another one for
> IMAP, and we're encouraging IMAP as the standard for all e-mail
> software now).
>
> http://www.washington.edu/imap/
>
> If you *just* want POP, the Qualcomm qpopper is well thought-of. It
> had a recent security hit too, but that was promptly fixed.
I prefer the Cyrus IMAP/POP system from CMU. It is inherently
more secure because it relinquishes all root permissions once
it has bound to the privileged IMAP socket. (This makes in
nearly impossible for any security hole to lead to root permission.)
The deliver program runs as a non-privileged user. (Nominally
'cyrus'.) And it seems to have been written with an eye to avoiding
the possibility of buffer overruns and other common security holes.
It also keeps the mailboxes in it's own area where they must
be accessed via IMAP. (The POP3 daemon is really a POP3 to
IMAP4 protocol translator.) The advantage of this is that
there are no file ownership or locking problems. The down
side is that you can't use old mail user agents that don't
know about IMAP or POP. (Or, rather, to use them you must
use a POP or IMAP-aware program like fetchmail to move the
messages from the IMAP server to your private area.)
-Pat
--
*** Exim information can be found at
http://www.exim.org/ ***
