Security status of web server / email server software?

BigEejit

I'm in the process of trying out a new windows based web/email server for myself and have shortlisted a few freebie* ones ....

What I want to know:
Is there a website (or collection of them) that documents all known exploits of common web/email servers so I can evaluate if they are worth the trouble or not ... I'd hate to decide on a application only to find out later that it had gaping holes allowing users or hackers to do what they wanted... I dont need to know the exploit details .... just knowing there are a bunch of exploits would put me off

I would prefer if this didnt become a linux / sendmail fanboi thread, if you know of a freeware or commercial (that allows home use) windows webmail/email/web server that is secure (allows AVG antivirus as a plugin would be cool) then please post...

*for example, I am using one now which after the 30 day trial disables a lot of features, still a good product (I think) but it adds a line to the bottom of outgoing emails after the trial is over ... lovely :mad:

mneylon

Have a look at MailEnable

Capt'n Midnight

For Windows
Apache - web - well like about half the internet uses it.
SquidNT - proxy
IIS - It Isn't Secure

http://secunia.com/ - security advisories

if you are running on windows then you need a firewall -there are too many exploits in WIN / IE - preferably an external one. When windows XP boots it says copyright 1985-2001, so there is some very old code in there somewhere - MsBlaster exploit could have happened 8 years earlier (has anyone tested it on NT3.51 or earlier )

dogs

Capt'n Midnight wrote:

For Windows
Apache - web - well like about half the internet uses it.

I don't beleive Apache "does" email. Besides, don't Apache still rate their webserver unsafe for production enviroments on Win32 ?

Capt'n Midnight wrote:

When windows XP boots it says copyright 1985-2001, so there is some very old code in there somewhere

I'd be suprised if your UNIX-variant machine doesn't have code in there somewhere from the late 70s. Code isn't milk. It doesn't "go bad", older code can often be more stable with greater chance of peer review.

BigEejit

Capt'n Midnight wrote:

http://secunia.com/ - security advisories

I know I should have found this with a google search but for some reason I didnt .... but that site is what I wanted
Unfortunately the product I was looking at is moderately critical but there is a fix
Any other sites that may have other exploits (other than the one that Secunia showed)?

Capt'n Midnight

dogs wrote:

I don't beleive Apache "does" email. Besides, don't Apache still rate their webserver unsafe for production enviroments on Win32 ?

The original request was for "windows based" and secure even though there are mutually exclusive requests. The current JPEG exploit does not affect 98/Me/NT4/2000 with IE 5.5 or earlier - but it's a near certainty that since they don't have IE 6.0SP1 they have not been patched to the hilt and would have other vunerabilities. Given the choice between IIS & Apache it's a no brainer. I'm waiting to see what others suggest for "Freebie" Email, and I can't recomend Mercury/Pegasus simply because I've never use them. For a business environment stumping up for MDaemon is a fairly easy decision.

I'd be suprised if your UNIX-variant machine doesn't have code in there somewhere from the late 70s. Code isn't milk. It doesn't "go bad", older code can often be more stable with greater chance of peer review.

Agree , but when the source code is a closely guarded secret you can't have open peer review. eg: MsBlaster was caused by an exploit that was at least 8 years old, (older if anyone can confirm that NT3.51 etc. were also affected) so hidden bad code doesn't get fixed, especially when you aren't selling or supporting it when end of life. For the future according to el reg M$ will now be letting Gov'ts see the source code for office 2003.

Another option would be a web managable LAMPS server.

BigEejit

The front runner for my webmail/email/web server is 602 Lan Suite Pro .... older versions have a patch for a problem but newer versions are ok so far ...its is free for 5 users (fine for my usage) ... it supports AVG antivirus and bayesian filtering (block lists too for all the good they are)...
You can enable ftp to a users own folder so they can run their own websites, seems to have a cgi-bin as well but I havent looked into it / used it .... might allow counters / guestbooks

I have used desknow now for a while ... some features are disabled after the initial month but its ok ... from reading around it seems that the advertisement at the bottom of outgoing mails may or may not happen .... :eek: I may try a new installation to get rid of the ad I am seeing now
I have however seen posts on forums etc that desknow had a problem that login details were sent in cleartext at one point ... its curious that this isnt documented on secunia

I wouldnt touch IIS with a bargepole ... the email/webmail/web server will be on its own machine running xp sp2 and locked down as well as I can ...