How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Follow

Comments

5 comments

  • Avatar
    Maximilian Hermann

    I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5

    1
    Comment actions Permalink
  • Avatar
    B Pfleging (Edited )

    What is the impact changing the smtpd.conf file exactly?

    smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?

    And for Dovecot, how about adding "ssl = required"?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    >What is the impact changing the smtpd.conf file exactly?
    >smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
    The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
    So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.

    >And for Dovecot, how about adding "ssl = required"?
    Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
    For additional questions and suggestions, please consider submitting a support ticket.

    1
    Comment actions Permalink
  • Avatar
    Wolfgang Reidlinger (Edited )

    Please check out https://talk.plesk.com/threads/disable-plaintext-plain-authentication-in-imap-dovecot-and-smtp-postfix-breaking-webmail-roundcube.364694/#post-908083

    The above configuration only works for webmail clients. If you want to make it work also for webmail (roundcube) you have to do the following change. If you not make this change sending emails from webmail will not work and will show you this error: SMTP Error (535): Authentication failed. in the webmail frontend.

    Edit file /usr/share/psa-roundcube/config/config.inc.php and add the following configuration:

    $config['smtp_auth_type'] = 'CRAM-MD5';
    $config['imap_auth_type'] = 'CRAM-MD5';

    @Stefan Yakubov can you please update this support article.

    1
    Comment actions Permalink
  • Avatar
    Stefan Yakubov

    Hello, Wolfgang Reidlinger

    Thank you for your input. The article was updated.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request