From: Charles Marcus on 2 Feb 2010 08:36 On 2010-02-01 7:17 PM, Stan Hoeppner wrote: > All of that said, I don't find I'm lacking any functionality with my current > version of Roundcube. Then you haven't looked at it... the new features are really nice...
From: Carlos Williams on 2 Feb 2010 11:05 On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus <CMarcus(a)media-brokers.com> wrote: > On 2010-02-01 7:17 PM, Stan Hoeppner wrote: >> All of that said, I don't find I'm lacking any functionality with my current >> version of Roundcube. > > Then you haven't looked at it... the new features are really nice... I would say this is getting pretty off-topic for Postfix discussion. It looks like most agree that RoundCube, Squirrelmail, or Horde are great applications and it's up to you to decide which works best for your needs. Good luck!
From: K bharathan on 2 Feb 2010 11:49 thanks for all On Tue, Feb 2, 2010 at 6:05 PM, Carlos Williams <carloswill(a)gmail.com>wrote: > On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus > <CMarcus(a)media-brokers.com> wrote: > > On 2010-02-01 7:17 PM, Stan Hoeppner wrote: > >> All of that said, I don't find I'm lacking any functionality with my > current > >> version of Roundcube. > > > > Then you haven't looked at it... the new features are really nice... > > I would say this is getting pretty off-topic for Postfix discussion. > It looks like most agree that RoundCube, Squirrelmail, or Horde are > great applications and it's up to you to decide which works best for > your needs. > > Good luck! >
From: Stan Hoeppner on 8 Feb 2010 18:50 K bharathan put forth on 2/2/2010 10:49 AM: > thanks for all > > On Tue, Feb 2, 2010 at 6:05 PM, Carlos Williams <carloswill(a)gmail.com>wrote: > >> On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus >> <CMarcus(a)media-brokers.com> wrote: >>> On 2010-02-01 7:17 PM, Stan Hoeppner wrote: >>>> All of that said, I don't find I'm lacking any functionality with my >> current >>>> version of Roundcube. >>> >>> Then you haven't looked at it... the new features are really nice... I just installed 0.3.1 from Lenny backports, up from 0.2.2, and in brief testing I don't really notice any significant new features. I still don't see a "reply to list" option, which would be nice. What should I be looking for, and where? Sorry to drudge up an old OT topic. I'm cc'ing the roundcube list so we can move this discussion over there. -- Stan
From: Jose Ildefonso Camargo Tolosa on 8 Feb 2010 19:34
Hi! Sorry for keeping the "off-topic"... but I had to answer.... On Mon, Feb 1, 2010 at 4:35 PM, Stan Hoeppner <stan(a)hardwarefreak.com> wrote: > Kay put forth on 2/1/2010 11:49 AM: > >> In my job (hosting company) I see boxes exploited via roundcube all the >> time. Squirrelmail? Not one so far. Part of the reason is that >> squirrelmail comes with RHEL, so it's kept up to date automatically, >> while customers install their own roundcube and then don't maintain it. > Me too, not just on DCs, even home (DSL dynamic) IPs, these are bots scanning, and I have found A LOT of roundcube-targeted scans. I have found lots of access attempts on *all* of the servers I have access to: more than 10 of them, on different geographical locations. > I think you're making some incorrect assumptions. Squirrelmail has had a pretty > abysmal security track record of its own over the years. One reason for that is True: really old ones. > probably exactly what you're calling out Roundcube for here, which has nothing > to do with the software, but the administration of the system. That said, you > appear to think the world runs on Red Hat, and if Red Hat doesn't have a > Roundcube package, admins will install from source or an external RPM that > doesn't get updated by Red Hat's uptodate or whatever it's called. The world > doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other) > packages up to date. For instance, I do security updates on my Debian servers > once a week. My Roundcube package is currently up to date, and it is a standard > Debian package: I use Debian too. >> That said, it's not the only webmail client (or any other web app) that >> gets the install&neglect treatment, it's just the one most frequently >> exploited. > > Do you have any empirical data showing that Roundcube is exploited more often > today than Squirrelmail? Claims like this really need to be backed up. Data > for only your data center doesn't count, the sample size is way too small.. This > is called "anecdotal" evidence, not empirical evidence. Ok, you want a "sample": 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similars, and none of them included scans for squirrelmail-related files. My sample size: around 20 servers on ~4 different geographical locations. One of the servers gets hits constantly by scans looking for files like roundcube/something and roundcube3/something (yes, 3, I don't know why, it should be 0.3), and roundcoube0.2/something.... and so on..... I have never ever used roundcube, because I studied a little about it, and found that it was still too young, I mean: it needs to grow as a project to get to a point where major security issues gets uncommon. The other case: my own PC, I have a "test" web server there, and it have been hit by these *scans* a lot.... and it has a dynamic IP... I recently decided to block the port 80 from outside, and only open it when I need it to be accessed from outside (it just gets annoying). Once again, sorry about off-topic, but this is an interesting discussion, Sincerely, Ildefonso Camargo |