Mail Server Accepts Plaintext Credentials

Discussion in 'Installation/Configuration' started by brody182, Nov 24, 2018.

  1. brody182

    brody182 Member

    SMTP and POP3 Service Clear text Login Permitted debian server

    How do I Disable the plaintext authentication methods on my SMTP server for unencrypted (non-SSL/TLS) sessions. how do I use more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5?
     
  2. brody182

    brody182 Member

    these files should not allow plain text login

    debian_dovecot.conf.master
    sasl_smtpd.conf.master

    this is a security issue:
    Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as an open mail relay. It may also lead to compromise of account credentials that can be used to access other mail services like POP3 and IMAP.
     
    Last edited: Nov 24, 2018
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Are you sure plain text is allowed? I thought settingup following Perfect Server guide disabled it.
    Won't using certificate make traffic including login encrypted?
     
  4. brody182

    brody182 Member

    login method should not be plain, as it shows below. Something much better is CRAM-MD5 or DIGEST-MD5

    Code:
    dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=15961,
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    As @Taleman said, PLAIN authentication over ssl/tls will also stop anyone sniffing passwords. For dovecot use disable_plaintext_auth=yes, and for postfix set both 'smtpd_sasl_security_options = noanonymous, noplaintext' and 'smtpd_sasl_tls_security_options = noanonymous'
     

Share This Page