Question
How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?
Answer
Note: If you don’t have root access to the Plesk server via SSH, contact your service provider regarding this issue.
Click on a section to expand
Plesk with Dovecot + Postfix
-
Connect to the server via SSH
-
Enable PCI compliance to Dovecot service:
# plesk sbin pci_compliance_resolver –enable dovecot
-
Enable PCI compliance to Postfix service:
# plesk sbin pci_compliance_resolver –enable postfix
-
Edit the file
/etc/postfix/main.cfadding the following line:smtpd_tls_auth_only=yes
-
Open the
smtpd.conffile in a text editor (in this example, we are using the vi editor) and remove “PLAIN” and “LOGIN” from mech_list:-
on CentOS/RHEL-based distributions
# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4 -
on Debian/Ubuntu-based distributions
# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4
-
-
Restart mail services to apply the changes:
# service saslauthd restart && service postfix restart && service dovecot restart
Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.
