How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Follow

Comments

3 comments

  • Avatar
    Maximilian Hermann

    I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5

    0
    Comment actions Permalink
  • Avatar
    b_p (Edited )

    What is the impact changing the smtpd.conf file exactly?

    smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?

    And for Dovecot, how about adding "ssl = required"?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    >What is the impact changing the smtpd.conf file exactly?
    >smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
    The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
    So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.

    >And for Dovecot, how about adding "ssl = required"?
    Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
    For additional questions and suggestions, please consider submitting a support ticket.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request