Starting on October 19, 2021, we will enable single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
To be prepared for this change and to avoid the need to register during your next ticket submission after the change, we encourage you to create an account here before October 19 using the same email address as your current Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account. You will continue to use ZenDesk authentication until we switch over to single-sign-on on October 19th.

Articles in this section

See more

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Avatar
Stefan Yakubov
Updated
Follow
Plesk for Linux kb: how-to ABT: Group B

Applicable to:

  • Plesk for Linux

Question

How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Answer

Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.

Click on a section to expand

Plesk with Dovecot + Postfix

  1. Connect to the server via SSH

  2. Enable PCI compliance to Dovecot service:

    # plesk sbin pci_compliance_resolver --enable dovecot

  3. Enable PCI compliance to Postfix service:

    # plesk sbin pci_compliance_resolver --enable postfix

  4. Edit the file /etc/postfix/main.cf adding the following line:

    CONFIG_TEXT: smtpd_tls_auth_only=yes

  5.  Open the smtpd.conf file in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:

    • on CentOS/RHEL-based distributions

      # cat /usr/lib64/sasl2/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

    • on Debian/Ubuntu-based distributions

      # cat /etc/postfix/sasl/smtpd.conf

      pwcheck_method: auxprop saslauthd
      auxprop_plugin: plesk
      saslauthd_path: /private/plesk_saslauthd
      mech_list: DIGEST-MD5 CRAM-MD5
      sql_engine: intentionally disabled
      log_level: 4

  6. Restart mail services to apply the changes:

    # service saslauthd restart && service postfix restart && service dovecot restart

 

Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Maximilian Hermann

    I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5

    0
    Comment actions Permalink
  • Avatar
    b_p (Edited )

    What is the impact changing the smtpd.conf file exactly?

    smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?

    And for Dovecot, how about adding "ssl = required"?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    >What is the impact changing the smtpd.conf file exactly?
    >smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
    The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
    So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.

    >And for Dovecot, how about adding "ssl = required"?
    Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
    For additional questions and suggestions, please consider submitting a support ticket.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles