On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Follow

Comments

3 comments

  • Avatar
    Maximilian Hermann

    I think it is a good way to do this, but you have to change Roundcube Settings as well otherwise SMTP won't work anymore, because roundcube seems to be using plain by default: https://support.plesk.com/hc/en-us/articles/115003975753-Failed-authentication-via-Roundcube-AUTHENTICATE-DIGEST-MD5

    0
    Comment actions Permalink
  • Avatar
    b_p (Edited )

    What is the impact changing the smtpd.conf file exactly?

    smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?

    And for Dovecot, how about adding "ssl = required"?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    >What is the impact changing the smtpd.conf file exactly?
    >smtpd_tls_auth_only=yes postfix should already prevent postfix from offering plain authentication unless when using TLS?
    The option "smtpd_tls_auth_only=yes" disables SASL authentication only for unencrypted connections, plaintext authentication still remains enabled for encrypted (SSL/TLS) connections, and some PCI compliance checkers see this as a vulnerability.
    So, editing smtpd.conf as described in this article disables plaintext authentication methods in Postfix once and for all even for encrypted connections.

    >And for Dovecot, how about adding "ssl = required"?
    Executing "plesk sbin pci_compliance_resolver --enable dovecot" sets the option "disable_plaintext_auth = yes" in the Dovecot configuration - it disables plaintext authentication for unencrypted connections.
    For additional questions and suggestions, please consider submitting a support ticket.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request