Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
rhel6/src/input/services/imap.xml | 172
++++++++++++++++++++++++++++++++++++-
1 files changed, 170 insertions(+), 2 deletions(-)
diff --git a/rhel6/src/input/services/imap.xml
b/rhel6/src/input/services/imap.xml
index 93dedce..cb6c644 100644
--- a/rhel6/src/input/services/imap.xml
+++ b/rhel6/src/input/services/imap.xml
@@ -40,6 +40,174 @@ removing it provides a safeguard against its activation.
<oval id="package_dovecot_removed" />
</Rule>
-</Group>
-</Group>
+</Group> <!-- <Group id="disabling_dovecot"> -->
+
+<Group id="configure_dovecot">
+<title>Configure Dovecot if Necessary</title>
+<description>If the system will operate as an IMAP or
+POP3 server, the dovecot software should be configured securely by
following
+the recommendations below.
+</description>
+
+<Rule id="dovecot_support_necessary_protocols">
+<title>Support Only the Necessary Protocols</title>
+<description>Dovecot supports the IMAP and POP3 protocols, as well as
+SSL-protected versions of those protocols. Configure the Dovecot server
+to support only the protocols needed by your site. Edit
<tt>/etc/dovecot.conf</tt>. +Add or correct the following lines,
replacing <tt>PROTOCOL</tt> with +only the subset of protocols
(<tt>imap</tt>, <tt>imaps</tt>, +<tt>pop3</tt>, <tt>pop3s</tt>) required:
+<pre>protocols = PROTOCOL</pre>
+If possible, require SSL protection for all transactions. The SSL
+protocol variants listen on alternate ports (995 instead of 110 for
+pop3s, and 993 instead of 143 for imaps), and require SSL-aware
clients. +An alternate approach is to listen on the standard port and
require the +client to use the STARTTLS command before authenticating.
+</description>
+
+<rationale>
+Configuring Dovecot to only support the protocols the protocols needed by
+your site reduces the risk of an attacker using one of the unused protocols
+to base an attack.</rationale>
+<ident cce="4384-4" />
+<ident cce="3887-7" />
+<ident cce="4530-2" />
+<ident cce="4547-6" />
+<!-- <oval id="dovecot_support_necessary_protocols" /> -->
+</Rule>
+
+<Group id="dovecot_enable_ssl">
+<title>Enable SSL Support</title>
+<description>SSL should be used to encrypt network traffic between the
+Dovecot server and its clients. Users must authenticate to the Dovecot
+server in order to read their mail, and passwords should never be
+transmitted in clear text. In addition, protecting mail as it is
+downloaded is a privacy measure, and clients may use SSL certificates
+to authenticate the server, preventing another system from
impersonating +the server.
+</description>
+
+<Rule id="dovecot_configure_ssl_cert">
+<title>Configure Dovecot to Use the SSL Certificate</title>
+<description>These options tell Dovecot where to find the TLS
+configuration, allowing clients to make encrypted connections.
+<br /><br />
+Edit <tt>/etc/dovecot.conf</tt> and add or correct the following +lines
(ensuring they reference the appropriate files):
+<pre>ssl_cert_file = /etc/pki/tls/imap/servercert.pem
+ssl_key_file = /etc/pki/tls/imap/serverkey.pem
+ssl_ca_file = /etc/pki/tls/CA/cacert.pem
+</pre>
+</description>
+<rationale>
+SSL certificates are used by the client to authenticate the identity
+of the server, as well as to encrypt credentials and message traffic.
+Not using SSL to encrypt mail server traffic could allow unauthorized
+access to credentials and mail messages since they are sent in plain
+text over the network.
+</rationale>
+<!-- <ident cce="4239-0" /> -->
+<!-- <oval id="dovecot_configure_ssl_cert" /> -->
+</Rule>
+
+<Rule id="dovecot_disable_plaintext_auth">
+<title>Disable Plaintext Authentication</title>
+<description>To prevent Dovecot from attempting plaintext
+authentication of clients, edit <tt>/etc/dovecot.conf</tt> and add
+or correct the following line:
+<pre>disable_plaintext_auth = yes</pre>
+</description>
+<rationale>
+Using plain text authentication to the mail server could allow an
+attacker access to credentials by monitoring network traffic.
+</rationale>
+<ident cce="4552-6" />
+<oval id="dovecot_disable_plaintext_auth" />
+</Rule>
+
+</Group> <!-- <Group id="dovecot_enable_ssl" -->
+
+<Group id="dovecot_enable_code_flaw_protect">
+<title>Enable Dovecot Options to Protect Against Code Flaws</title>
+<description>IMAP and POP3 are remote authenticated protocols, meaning
that +the server must accept remote connections from anyone, but provide
substantial +services only to clients who have successfully
authenticated. To protect +against security problems, Dovecot splits
these functions into separate +server processes. The <tt>imap-login</tt>
and/or <tt>pop3-login</tt> +processes accept connections from
unauthenticated users, and only spawn +<tt>imap</tt> or <tt>pop3</tt>
processes on successful authentication.
+<br /><br />
+However, the <tt>imap-login</tt> and <tt>pop3-login</tt> processes
+themselves may contain vulnerabilities. Since each of these processes
+operates as a daemon, handling multiple sequential client connections
+from different users, bugs in the code could allow unauthenticated
users +to steal credential data. If the
<tt>login_process_per_connection</tt> option +is enabled, then a
separate <tt>imap-login</tt> or <tt>pop3-login</tt> +process is created
for each new connection, protecting against this class +of problems.
This option has an efficiency cost, but is strongly recommended.
+<br /><br />
+If the <tt>mail_drop_priv_before_exec</tt> option is on, the
<tt>imap-login</tt> +or <tt>pop3-login</tt> process will drop privileges
to the userâs ID after +authentication and before executing the
<tt>imap</tt> or <tt>pop3</tt> +process itself. Under some very limited
circumstances, this could protect +against privilege escalation by
authenticated users. However, if the +mail executable option is used to
run code before starting each userâs session, +it is important to drop
privileges to prevent the custom code from running as root.
+</description>
+
+<Rule id="dovecot_login_process_per_conn_yes">
+<title>login_process_per_connection set to yes</title>
+<description>Setting <tt>login_process_per_connection = yes</tt>, prevents
+possible bugs in the code from allowing unauthenticated users to steal
+credential data when handling multiple sequential client connections
+from different users by creating a separate <tt>imap-login</tt> or
+<tt>pop3-login</tt> process for each new connection.
+<br /><br />
+Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line:
+<pre>login_process_per_connection = yes</pre>
+</description>
+<rationale>
+This setting could protect against an attacker trying to exploit a bug in
+the dovecot code.</rationale>
+<ident cce="4410-7" />
+<oval id="dovecot_login_process_per_conn_yes" />
+</Rule>
+
+<Rule id="dovecot_mail_drop_priv_before_exec_yes">
+<title>mail_drop_priv_before_exec set to yes</title>
+<description>Setting <tt>mail_drop_priv_before_exec = yes</tt>, causes
+the <tt>imap-login</tt> or <tt>pop3-login</tt> process will drop
+privileges to the userâs ID after authentication and before executing
+the <tt>imap</tt> or <tt>pop3</tt> process itself.
+<br /><br />
+Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line:
+<pre>mail_drop_priv_before_exec = yes</pre>
+</description>
+<rationale>
+This setting could protect against privilege escalation by authenticated
+users.</rationale>
+<ident cce="4371-1" />
+<oval id="dovecot_mail_drop_priv_before_exec_yes" />
+</Rule>
+
+</Group> <!-- <Group id="dovecot_enable_code_flaw_protect"> -->
+
+<Group id="dovecot_allow_imap_access">
+<title>Allow IMAP Clients to Access the Server</title>
+<description>The default iptables configuration does not allow inbound
+access to any services. This modification will allow remote hosts to
+initiate connections to the IMAP daemon, while keeping all other ports
+on the server in their default protected state. +<br /><br />
+Edit <tt>/etc/sysconfig/iptables</tt>. Add the following line, ensuring
+that it appears before the final <tt>LOG</tt> and <tt>DROP</tt> lines
+for the <tt>RH-Firewall-1-INPUT</tt> chain:
+<pre>-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 143 -j
ACCEPT</pre>
+</description>
+
+</Group> <!-- <Group id="dovecot_allow_imap_access"> -->
+
+</Group> <!-- <Group id="configure_dovecot"> -->
+
+</Group> <!-- <Group id="imap"> -->
-- 1.7.7.6