Applicable to:
- Plesk for Linux
Question
How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?
Answer
Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.
Click on a section to expand
Plesk with Dovecot + Postfix
-
Connect to the server via SSH
-
Enable PCI compliance to Dovecot service:
# plesk sbin pci_compliance_resolver --enable dovecot
-
Enable PCI compliance to Postfix service:
# plesk sbin pci_compliance_resolver --enable postfix
-
Edit the file
/etc/postfix/main.cf
adding the following line:CONFIG_TEXT: smtpd_tls_auth_only=yes
-
Open the
smtpd.conf
file in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:-
on CentOS/RHEL-based distributions
# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4 -
on Debian/Ubuntu-based distributions
# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4
-
-
Restart mail services to apply the changes:
# service saslauthd restart && service postfix restart && service dovecot restart
Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.
Comments
3 comments
I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5
What is the impact changing the smtpd.conf file exactly?
smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
And for Dovecot, how about adding "ssl = required"?
Hello @b_p!
>What is the impact changing the smtpd.conf file exactly?
>smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.
>And for Dovecot, how about adding "ssl = required"?
Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
For additional questions and suggestions, please consider submitting a support ticket.
Please sign in to leave a comment.