Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This is a place for us to start seriously talking about vendors. Who's great, who's not, what's it cost, how does it relate to their competitors and would we buy it? A place to talk about snakeoil, and brilliant products alike. Marketing fluff is forbidden. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
opensource webmail/collaboration platform review
Posted by: Malkav
Date: March 31, 2008 05:28AM

i recently installed a fully fledged postfix/dovecot on a new server, but he wanted a webmail/calendar/whatever too, and i don't know those products very well.

so i tried horde, and roundcube. both do their job (altough roundcube is largely heavier (mainly due to javascript))

did you have to pentest webmails/CP recently ? would you recommend one in particular ? the only requirement is that it can run in lighttpd-fcgi and over PostgreSQL.

i am no php coder, so if i had to code one, it would be perl or RoR. and i have not much time.

as i dedicated most my time spent on this one to harden the underlying freebsd 7, i think i'd be pretty pissed of if some random kiddy started to attack the database via SQLi (or worse, sent mail with JS. XSS via mail. NOOoOOoooOoOoO)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: id
Date: March 31, 2008 09:58AM

We use postfix on our edge mail servers, and exchange on the inside (say all you want, but for businesses, there is no open source equivalent). The closest thing, and it may be up to speed now, is Zimbra.

We also tried roundcube, but while it looks nice, it has tons of security holes, and we gave up on it.

fbsd7 is a good choice with their improvements in performance with databases, but it might be a bit premature for production. I'm testing a couple 7 servers right now as well.

Also add postgrey, maybe spamd, and probably clamav. We sometimes get 100k+ spams a day, almost all directed at the ckers.org domain, so if they are going to be on a semi-popular domain make sure the box has a decent processor and RAM. You also may want to tune the DB for additional connections and cut the max session time.

Depending on how many domains/users and how you want to admin it, you may want to check out PostfixAdmin as well.

good luck, I loath mail systems! :)

-id

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: Malkav
Date: March 31, 2008 10:15AM

yeah i already took care of the full spamass/clamd/amavisd. i don't think freebsd 7 is premature, beside 5.x which was a hell, i hadn't a problem that a portupgrade/make world couldn't repair. and they really did a great job in this one. performance are sky high on properly prepared systems. i am waiting for the fully virtualized IP stack though. you just *hate* killing all your jails by shitty routing. basically the whole mail server is up and running like hell (last postfix i threw pumped millions mails a day. fuck romance sites hosting their clients mails on the ISP mail system). the only real question was about the webmail system. i tried zimbra some times ago, but it was a hell to get running. ok for roundcube, it will be thrown away tonight. think i'll give a shot with two different webmails and let the users decide.

why can't they use good ol' fetchmail && mutt #@!

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: id
Date: March 31, 2008 01:10PM

I'm going to be setting up webmail for a family site in the next couple weeks, let me know what you go with.


btw, postgrey takes care of ~80% of our spam before it ever hits the DB for a lookup, well worth installing and configuring.

-id

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: kuza55
Date: October 31, 2008 10:38PM

Everyone should run roundcube, it's totally secure; 100% kuza55 certified secure! :D

Haven't had a look at horde yet, but I presume it is on it's way to receiving a similar certification too :p

[EDIT]: Argh, didn't see the dates on this thread before posting, oh well :(

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 10/31/2008 10:39PM by kuza55.

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: thrill
Date: October 31, 2008 11:15PM

That's funny.. I recommended roundcube to id about 2 years ago, he claimed it was church software (holy).. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: Malkav
Date: November 05, 2008 05:03AM

i finally settled for roundcube. it's not like i care whatsoever, i only use cone and gmail :)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: opensource webmail/collaboration platform review
Posted by: Reiners
Date: November 05, 2008 06:03AM

like kuza55 I slightly tested roundcube at the CSAW CTF, there were some minor things you could improve:

- log file "/roundcube/logs/sendmail" is public available and reveals in- and outgoing email adresses
- log file "/roundcube/logs/errors" is public available and could reveal usernames
- outgoing mailattachments are public available at "/roundcube/temp/"

just some notes I made during the contest, maybe they are useful for someone.

Options: ReplyQuote


Sorry, only registered users may post in this forum.