Red Hat Bugzilla – Bug 122615
cyrus-imapd is active by default; it shouldn't be
Last modified: 2007-11-30 17:10:42 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040504
Description of problem:
By default, server daemons in Fedora Core tend to not start up unless
chkconfig or the equivalent has been used to change that. (Look at
dhcpd, named, mysqld, httpd, innd, so on and so forth.) Even those
that do start up are configured to listen only to local connections by
default (look at sendmail for instance).
However, cyrus-imapd, as currently packaged, does not comply to this.
Instead it starts up by default. This is especially odd since another
IMAP server, dovecot, is also packaged in Fedora Core 2 but does not
show this behavior (it is not enabled by default).
IMO it would be more consistent and more secure for cyrus-imapd to be
configured like other packages. (Yes, the firewall mitigates this in
the typical case, but defense in depth is good IMO.)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Perform an "Everything" install.
2. Reboot into the installed system and (if needed for step 3) become
3. Use "ntsysv" or other methods to see which daemons are activated by
default and which ones are not.
4. While you're at it, try temporarily disabling the firewall and nmap
this host from a different host.
Actual Results: As described above, cyrus-imapd is active by default.
Also, look at this list of ports from nmap:
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-06
Interesting ports on 192.168.0.63:
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
2000/tcp open callbook
32770/tcp open sometimes-rpc3
Ports 110, 143, 993, 995 and 2000 are *all* being used by cyrus-imapd.
That's over *half* of the open ports on the machine!
Expected Results: I expected ports 110, 143, 993, 995 and 2000 to be
closed or at least only lisntening locally, and I expected cyrus-imapd
to not be active by default.
In Fedora Core 1, an Everything install offers pretty reasonable
security out-of-the-box, even in situations where the firewall has to
be disabled for one reason or another. I would *hate* anything that
threatens to bring us back to the days where an Everything install is
a security disaster waiting to happen. I *really* want to see this
fixed before Fedora Core 2 release!