Bug 122615

Summary: cyrus-imapd is active by default; it shouldn't be
Product: [Fedora] Fedora Reporter: Barry K. Nathan <barryn>
Component: cyrus-imapdAssignee: John Dennis <jdennis>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: barryn, mitr, oliva
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-11 11:56:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Barry K. Nathan 2004-05-06 11:50:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040504

Description of problem:
By default, server daemons in Fedora Core tend to not start up unless
chkconfig or the equivalent has been used to change that. (Look at
dhcpd, named, mysqld, httpd, innd, so on and so forth.) Even those
that do start up are configured to listen only to local connections by
default (look at sendmail for instance).

However, cyrus-imapd, as currently packaged, does not comply to this.
Instead it starts up by default. This is especially odd since another
IMAP server, dovecot, is also packaged in Fedora Core 2 but does not
show this behavior (it is not enabled by default).

IMO it would be more consistent and more secure for cyrus-imapd to be
configured like other packages. (Yes, the firewall mitigates this in
the typical case, but defense in depth is good IMO.)

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.3-8

How reproducible:
Always

Steps to Reproduce:
1. Perform an "Everything" install.
2. Reboot into the installed system and (if needed for step 3) become
root.
3. Use "ntsysv" or other methods to see which daemons are activated by
default and which ones are not.
4. While you're at it, try temporarily disabling the firewall and nmap
this host from a different host.
    

Actual Results:  As described above, cyrus-imapd is active by default.
Also, look at this list of ports from nmap:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-06
04:50 PDT
Interesting ports on 192.168.0.63:
(The 1651 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
993/tcp   open  imaps
995/tcp   open  pop3s
2000/tcp  open  callbook
32770/tcp open  sometimes-rpc3

Ports 110, 143, 993, 995 and 2000 are *all* being used by cyrus-imapd.
That's over *half* of the open ports on the machine!

Expected Results:  I expected ports 110, 143, 993, 995 and 2000 to be
closed or at least only lisntening locally, and I expected cyrus-imapd
to not be active by default.

Additional info:

In Fedora Core 1, an Everything install offers pretty reasonable
security out-of-the-box, even in situations where the firewall has to
be disabled for one reason or another. I would *hate* anything that
threatens to bring us back to the days where an Everything install is
a security disaster waiting to happen. I *really* want to see this
fixed before Fedora Core 2 release!