Articles in this section

See more

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Avatar
Marc Vidal
Updated
Follow

Applicable to:

  • Plesk for Linux

Question

How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Answer

Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.

Click on a section to expand

Plesk with Dovecot + Postfix

  1. Connect to the server via SSH

  2. Enable PCI compliance to Dovecot service:

    # plesk sbin pci_compliance_resolver --enable dovecot

  3. Enable PCI compliance to Postfix service:

    # plesk sbin pci_compliance_resolver --enable postfix

  4. Edit the file /etc/postfix/main.cf adding the following line:

    CONFIG_TEXT: smtpd_tls_auth_only=yes

  5.  Open the smtpd.conf file in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:

    • on CentOS/RHEL-based distributions

      # cat /usr/lib64/sasl2/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

    • on Debian/Ubuntu-based distributions

      # cat /etc/postfix/sasl/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

  6. Restart mail services to apply the changes:

    # service saslauthd restart && service postfix restart && service dovecot restart

 

Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Maximilian Hermann

    I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5

    0
    Comment actions Permalink
  • Avatar
    b_p (Edited )

    What is the impact changing the smtpd.conf file exactly?

    smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?

    And for Dovecot, how about adding "ssl = required"?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    >What is the impact changing the smtpd.conf file exactly?
    >smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
    The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
    So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.

    >And for Dovecot, how about adding "ssl = required"?
    Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
    For additional questions and suggestions, please consider submitting a support ticket.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles