Skip to content

2.1.8 Ensure message access server services are not in use

Audit#

Run the following command to verify dovecot-imapd and dovecot-pop3d are not installed: 

# dpkg-query -s dovecot-imapd &>/dev/null && echo "dovecot-imapd is installed"
Nothing should be returned.

# dpkg-query -s dovecot-pop3d &>/dev/null && echo "dovecot-pop3d is installed"
Nothing should be returned.

- OR -
- IF - the package is installed and is required for dependencies:
Run the following commands to verify dovecot.socket and dovecot.service are not enabled:

# systemctl is-enabled dovecot.socket dovecot.service 2>/dev/null | grep 'enabled'
Nothing should be returned.

Run the following commands to verify dovecot.socket and dovecot.service are not active: 

# systemctl is-active dovecot.socket dovecot.service 2>/dev/null | grep '^active'
Nothing should be returned.

Note: If the package is required for a dependency

  • Ensure the dependent package is approved by local site policy
  • Ensure stopping and masking the service and/or socket meets local site policy

Remediation#

Run one of the following commands to remove dovecot-imapd and dovecot-pop3d:
Run the following commands to stop dovecot.socket and dovecot.service, and remove the dovecot-imapd and dovecot-pop3d packages:

# systemctl stop dovecot.socket dovecot.service
# apt purge dovecot-imapd dovecot-pop3d

- OR -
- IF - a package is installed and is required for dependencies:
Run the following commands to stop and mask dovecot.socket and dovecot.service:

# systemctl stop dovecot.socket dovecot.service
# systemctl mask dovecot.socket dovecot.service