Perdition: Mail Retrieval Proxy

Perdition
I lately lost a preposition;
It hid, I thought, beneath my chair
And angrily I cried, "Perdition!
Up from out of under there."
Correctness is my vade mecum,
And straggling phrases I abhor,
And yet I wondered, "What should he come
Up from out of under for?"
Morris Bishop, contributed by Kfish

What is perdition?

Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to handle both SSL and non-SSL connections and redirect users to a real-server based on a database lookup. Perdition supports modular based database access. ODBC, MySQL, PostgreSQL, GDBM, POSIX Regular Expression and NIS modules ship with the distribution. The API for modules is open allowing arbitrary modules to be written to allow access to any data store.
Perdition has many uses. Including, creating large mail systems where an end-user's mailbox may be stored on one of several hosts, integrating different mail systems together, migrating between different email infrastructures, and bridging plain-text, SSL and TLS services. It can also be used as part of a firewall. The use of perditon to scale mail services beyond a single box is discussed in high capacity email.

News

Security Notice: perdition 1.17.1 This is a bug-fix release to address a security concern, CVE-2007-5740[offsite]. The announcement of the bug, including a description is here[offsite].
In short, there is a deficiency in the code that perdition has to protect itself from string format bugs. This means that by an embeded null characters in an IMAP tag supplied by an attacker may allow the attacker to execute arbitary code on the machine running perdition as the user that is running perdition.
By default perdition runs as user nobody, which may help to mittigate the effects that any code an attacker executes may have.
This problem affects IMAP and its SSL/TLS variant. All users who run perdition in IMAP modes are advised to upgrade.
It is not believed that it affects POP or its SSL/TLS variant.
Perdition 1.17.1 fixes this problem by verifying that tags supplied by end-users are valid. The patch can be seen in the Mercurial repository here[offsite]. It also includes some other fixes for problems which have been tested in in Debian.
A complete list of changes is avalable in the ChangeLog.
Perdition 1.17.1 is available for download here.
22nd June 2005
Security Notice:
(Historical) vanessa_logger 0.0.1 String Format Bug: vanessa_logger 0.0.1, which is required by perdition has a string-format bug. Please upgrade to 0.0.2. Details.
26th December 2001

More Information

Download Released versions
Releases Historical information on releases
Mercurial Repository The latest development code
Please note that this is development code and is generally not recommended for production
Documentation Documentation on how to use perdition.
FAQ Perdition FAQ.
Mailing Lists perdition-users and perdition-cvs subscription and archive information
Press Centre Information for the press on perdition.
Deployments Information about some of perdition systems in production.
Perdition-PBS POP Before SMTP Tools
Vanessa Underlying libraries for Perdition

What is perdition?
Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to handle both SSL and non-SSL connections and redirect users to a real-server based on a database lookup. Perdition supports modular based database access. ODBC, MySQL, PostgreSQL, GDBM, POSIX Regular Expression and NIS modules ship with the distribution. The API for modules is open allowing arbitrary modules to be written to allow access to any data store. Perdition has many uses. Including, creating large mail systems where an end-user's mailbox may be stored on one of several hosts, integrating different mail systems together, migrating between different email infrastructures, and bridging plain-text, SSL and TLS services. It can also be used as part of a firewall. The use of perditon to scale mail services beyond a single box is discussed in high capacity email.
News
Security Notice: perdition 1.17.1	This is a bug-fix release to address a security concern, CVE-2007-5740[offsite]. The announcement of the bug, including a description is here[offsite]. In short, there is a deficiency in the code that perdition has to protect itself from string format bugs. This means that by an embeded null characters in an IMAP tag supplied by an attacker may allow the attacker to execute arbitary code on the machine running perdition as the user that is running perdition. By default perdition runs as user nobody, which may help to mittigate the effects that any code an attacker executes may have. This problem affects IMAP and its SSL/TLS variant. All users who run perdition in IMAP modes are advised to upgrade. It is not believed that it affects POP or its SSL/TLS variant. Perdition 1.17.1 fixes this problem by verifying that tags supplied by end-users are valid. The patch can be seen in the Mercurial repository here[offsite]. It also includes some other fixes for problems which have been tested in in Debian. A complete list of changes is avalable in the ChangeLog. Perdition 1.17.1 is available for download here. 22nd June 2005
Security Notice: (Historical)	vanessa_logger 0.0.1 String Format Bug: vanessa_logger 0.0.1, which is required by perdition has a string-format bug. Please upgrade to 0.0.2. Details. 26th December 2001
More Information
Download	Released versions
Releases	Historical information on releases
Mercurial Repository	The latest development code Please note that this is development code and is generally not recommended for production
Documentation	Documentation on how to use perdition.
FAQ	Perdition FAQ.
Mailing Lists	perdition-users and perdition-cvs subscription and archive information
Press Centre	Information for the press on perdition.
Deployments	Information about some of perdition systems in production.
Perdition-PBS	POP Before SMTP Tools
Vanessa	Underlying libraries for Perdition