Question
How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?
Answer
Note: If you don't have root access to the Plesk server via SSH, contact your service provider regarding this issue.
Click on a section to expand
Plesk with Dovecot + Postfix
-
Connect to the server via SSH
-
Enable PCI compliance to Dovecot service:
# plesk sbin pci_compliance_resolver --enable dovecot
-
Enable PCI compliance to Postfix service:
# plesk sbin pci_compliance_resolver --enable postfix
-
Edit the file
/etc/postfix/main.cfadding the following line:smtpd_tls_auth_only=yes
-
Open the
smtpd.conffile in a text editor (in this example, we are using the vi editor) and remove "PLAIN" and "LOGIN" from mech_list:-
on CentOS/RHEL-based distributions
# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4 -
on Debian/Ubuntu-based distributions
# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4
-
-
Restart mail services to apply the changes:
# service saslauthd restart && service postfix restart && service dovecot restart
- Enable the RoundCube webmail to use the CRAM-MD5 auth method by adding the following lines to
/usr/share/psa-roundcube/config/config.inc.php:$config['smtp_auth_type'] = 'CRAM-MD5';
$config['imap_auth_type'] = 'CRAM-MD5';
Note: If Qmail is used, it is recommended to switch to Postfix. Forcing secure connection over SMTP in Qmail requires patching which is not supplied by Plesk.