From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040504 Description of problem: By default, server daemons in Fedora Core tend to not start up unless chkconfig or the equivalent has been used to change that. (Look at dhcpd, named, mysqld, httpd, innd, so on and so forth.) Even those that do start up are configured to listen only to local connections by default (look at sendmail for instance). However, cyrus-imapd, as currently packaged, does not comply to this. Instead it starts up by default. This is especially odd since another IMAP server, dovecot, is also packaged in Fedora Core 2 but does not show this behavior (it is not enabled by default). IMO it would be more consistent and more secure for cyrus-imapd to be configured like other packages. (Yes, the firewall mitigates this in the typical case, but defense in depth is good IMO.) Version-Release number of selected component (if applicable): cyrus-imapd-2.2.3-8 How reproducible: Always Steps to Reproduce: 1. Perform an "Everything" install. 2. Reboot into the installed system and (if needed for step 3) become root. 3. Use "ntsysv" or other methods to see which daemons are activated by default and which ones are not. 4. While you're at it, try temporarily disabling the firewall and nmap this host from a different host. Actual Results: As described above, cyrus-imapd is active by default. Also, look at this list of ports from nmap: Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-06 04:50 PDT Interesting ports on 192.168.0.63: (The 1651 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 993/tcp open imaps 995/tcp open pop3s 2000/tcp open callbook 32770/tcp open sometimes-rpc3 Ports 110, 143, 993, 995 and 2000 are *all* being used by cyrus-imapd. That's over *half* of the open ports on the machine! Expected Results: I expected ports 110, 143, 993, 995 and 2000 to be closed or at least only lisntening locally, and I expected cyrus-imapd to not be active by default. Additional info: In Fedora Core 1, an Everything install offers pretty reasonable security out-of-the-box, even in situations where the firewall has to be disabled for one reason or another. I would *hate* anything that threatens to bring us back to the days where an Everything install is a security disaster waiting to happen. I *really* want to see this fixed before Fedora Core 2 release!