Rules Related To 'dovecot'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Configure Dovecot to Use the SSL Certificate file

dovecot_configure_ssl_cert

Description

This option tells Dovecot where to find the mail server's SSL Certificate.

Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file):

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
"

Rationale

SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network.

Configure Dovecot to Use the SSL Key file

dovecot_configure_ssl_key

Description

This option tells Dovecot where to find the mail server's SSL Key.

Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file):

ssl_key = </etc/pki/dovecot/private/dovecot.pem

Rationale

SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network.

Disable Plaintext Authentication

dovecot_disable_plaintext_auth

Description

To prevent Dovecot from attempting plaintext authentication of clients, edit /etc/dovecot/conf.d/10-auth.conf and add\or correct the following line:

disable_plaintext_auth = yes

Rationale

Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic.

Enable the SSL flag in /etc/dovecot.conf

dovecot_enable_ssl

Description

To allow clients to make encrypted connections the ssl flag in Dovecot's configuration file needs to be set to yes.

Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line:

ssl = yes

Rationale

SSL encrypt network traffic between the Dovecot server and its clients protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server.

Uninstall dovecot Package

package_dovecot_removed

Description

The dovecot-core package can be removed with the following command:

$ apt-get remove dovecot-core

Rationale

If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.

Disable Dovecot Service

service_dovecot_disabled

Description

The dovecot service can be disabled with the following command:

$ sudo systemctl mask --now dovecot.service

Rationale

Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.