[CentOS] CentOS 6 Webmail

Fri Jul 29 10:55:01 UTC 2011
Craig White <craigwhite at azapple.com>

On Thu, 2011-07-28 at 13:33 -0500, John R. Dennison wrote:
> On Mon, Jul 25, 2011 at 07:14:39PM +0100, Keith Roberts wrote:
> > 
> > +1 that's what my hosting provider gives on my webmail 
> > service, and I think it's a nice application to use.
> 
> Please excuse the untimely response - been busy.
> 
> I'd give users Exchange and OWA before I would even consider Horde and
> its ilk; their track record with regards to security is abysmal and
> while it may have gotten somewhat better in the past year or so the
> security track record of that project leaves an extremely bad taste in
> my mouth.
----
Not going to comment on Exchange/OWA

Horde/Imp etc. security track record is no worse than any other PHP
based web-mail solution. It has all the attack vectors - PHP, SQL, IMAP
etc. It is so flexible that you can use pretty much any IMAP server
(including Exchange), any SQL DB, any web server, etc. which of course
leaves many possibilities for misconfiguration. What really happens is
that they are sometimes used for sending out spam because of bad
password policies on many servers. To the Horde/IMP developers credit,
they do have rate limiting methods available.  It's also used by many
universities throughout the world.

And by the way, check your apache logs... the webmail server script
kiddies are looking for is roundcube

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.