Applicable to:
- Plesk for Linux
Question
How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?
Answer
Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.
Click on a section to expand
Plesk with Dovecot + Postfix
-
Connect to the server via SSH
-
Enable PCI compliance to Dovecot service:
# plesk sbin pci_compliance_resolver --enable dovecot
-
Enable PCI compliance to Postfix service:
# plesk sbin pci_compliance_resolver --enable postfix
-
Edit the file
/etc/postfix/main.cfadding the following line:CONFIG_TEXT: smtpd_tls_auth_only=yes
-
Open the
smtpd.conffile in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:-
on CentOS/RHEL-based distributions
# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4 -
on Debian/Ubuntu-based distributions
# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4
-
-
Restart mail services to apply the changes:
# service saslauthd restart && service postfix restart && service dovecot restart
- Enable the RoundCube webmail to use the CRAM-MD5 auth method by adding the following lines to
/usr/share/psa-roundcube/config/config.inc.php:
CONFIG_TEXT: $config['smtp_auth_type'] = 'CRAM-MD5';
$config['imap_auth_type'] = 'CRAM-MD5';
Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.
Comments
5 comments
I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5
What is the impact changing the smtpd.conf file exactly?
smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
And for Dovecot, how about adding "ssl = required"?
Hello @b_p!
>What is the impact changing the smtpd.conf file exactly?
>smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.
>And for Dovecot, how about adding "ssl = required"?
Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
For additional questions and suggestions, please consider submitting a support ticket.
Please check out https://talk.plesk.com/threads/disable-plaintext-plain-authentication-in-imap-dovecot-and-smtp-postfix-breaking-webmail-roundcube.364694/#post-908083
The above configuration only works for webmail clients. If you want to make it work also for webmail (roundcube) you have to do the following change. If you not make this change sending emails from webmail will not work and will show you this error: SMTP Error (535): Authentication failed. in the webmail frontend.
Edit file /usr/share/psa-roundcube/config/config.inc.php and add the following configuration:
@Stefan Yakubov can you please update this support article.
Hello, Wolfgang Reidlinger
Thank you for your input. The article was updated.
Please sign in to leave a comment.