Articles in this section

See more

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Avatar
Aleksandar Stoev
Updated
kb: how-to Plesk for Linux ABT: Group B

Applicable to:

  • Plesk for Linux

Question

How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Answer

Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.

Click on a section to expand

Plesk with Dovecot + Postfix

  1. Connect to the server via SSH

  2. Enable PCI compliance to Dovecot service:

    # plesk sbin pci_compliance_resolver --enable dovecot

  3. Enable PCI compliance to Postfix service:

    # plesk sbin pci_compliance_resolver --enable postfix

  4. Edit the file /etc/postfix/main.cf adding the following line:

    CONFIG_TEXT: smtpd_tls_auth_only=yes

  5.  Open the smtpd.conf file in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:

    • on CentOS/RHEL-based distributions

      # cat /usr/lib64/sasl2/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

    • on Debian/Ubuntu-based distributions

      # cat /etc/postfix/sasl/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

  6. Restart mail services to apply the changes:

    # service saslauthd restart && service postfix restart && service dovecot restart

  7. Enable the RoundCube webmail to use the CRAM-MD5 auth method by adding the following lines to /usr/share/psa-roundcube/config/config.inc.php:

    CONFIG_TEXT: $config['smtp_auth_type'] = 'CRAM-MD5';
    $config['imap_auth_type'] = 'CRAM-MD5';

 

Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.

Comments

2 comments

Sort by Date Votes
  • Avatar
    Voelu28

    Doesnt work on Ubuntu 20.04.6 LTS with Plesk Obsidian 18.0.62 Update 2:

    # sudo service saslauthd restart && service postfix restart && service dovecot restart
    # Failed to restart saslauthd.service: Unit saslauthd.service not found.

    After i followed your tutorial no mails could be send anymore. TLS/SSL is always activated in mail client.

    I need to redo the changes.

    0
  • Avatar
    Steve Yates

    On RHEL-based, smtpd.conf is in /etc/sasl2/smtpd.conf not /usr/lib64/sasl2/smtpd.conf.

    0

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles