122615 – cyrus-imapd is active by default; it shouldn't be

Bug 122615 - cyrus-imapd is active by default; it shouldn't be

Summary: cyrus-imapd is active by default; it shouldn't be

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cyrus-imapd
Sub Component:
Version:	rawhide
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John Dennis
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-05-06 11:50 UTC by Barry K. Nathan
Modified:	2007-11-30 22:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-05-11 11:56:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Barry K. Nathan 2004-05-06 11:50:55 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040504

Description of problem:
By default, server daemons in Fedora Core tend to not start up unless
chkconfig or the equivalent has been used to change that. (Look at
dhcpd, named, mysqld, httpd, innd, so on and so forth.) Even those
that do start up are configured to listen only to local connections by
default (look at sendmail for instance).

However, cyrus-imapd, as currently packaged, does not comply to this.
Instead it starts up by default. This is especially odd since another
IMAP server, dovecot, is also packaged in Fedora Core 2 but does not
show this behavior (it is not enabled by default).

IMO it would be more consistent and more secure for cyrus-imapd to be
configured like other packages. (Yes, the firewall mitigates this in
the typical case, but defense in depth is good IMO.)

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.3-8

How reproducible:
Always

Steps to Reproduce:
1. Perform an "Everything" install.
2. Reboot into the installed system and (if needed for step 3) become
root.
3. Use "ntsysv" or other methods to see which daemons are activated by
default and which ones are not.
4. While you're at it, try temporarily disabling the firewall and nmap
this host from a different host.
    

Actual Results:  As described above, cyrus-imapd is active by default.
Also, look at this list of ports from nmap:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-06
04:50 PDT
Interesting ports on 192.168.0.63:
(The 1651 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
993/tcp   open  imaps
995/tcp   open  pop3s
2000/tcp  open  callbook
32770/tcp open  sometimes-rpc3

Ports 110, 143, 993, 995 and 2000 are *all* being used by cyrus-imapd.
That's over *half* of the open ports on the machine!

Expected Results:  I expected ports 110, 143, 993, 995 and 2000 to be
closed or at least only lisntening locally, and I expected cyrus-imapd
to not be active by default.

Additional info:

In Fedora Core 1, an Everything install offers pretty reasonable
security out-of-the-box, even in situations where the firewall has to
be disabled for one reason or another. I would *hate* anything that
threatens to bring us back to the days where an Everything install is
a security disaster waiting to happen. I *really* want to see this
fixed before Fedora Core 2 release!

Note You need to log in before you can comment on or make changes to this bug.