Skip to main content

Disable SMTP plain text authentication on non TLS port

hanoii
Hi, I am aware of the setting for disabling plain text login on Dovehot in Mailserver configuration "Allow Plaintext Authentication (from remote clients)". But how the same thing can be done with SMTP? I want to disable plain text login without TLS as well, as this is preventing me to pass a PCI compliant scan.

Comments

3 comments

Date Votes
  • hanoii
    I kind of sorted this out myself, by manually adding: auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} To the Advanced configuration exim editor in WHM. Now it works, but now I am getting a constant email from tailwatch that exim is not working with the following reason: TCP Transaction Log: << 220-XXXX ESMTP Exim 4.82 #2 Fri, 05 Sep 2014 15:46:13 +0100 << << >> EHLO localhost << 250-XXX Hello localhost [127.0.0.1] << << << << << >> AUTH PLAIN XXXXXX << 503 AUTH command used when not advertised exim: ** [503 AUTH command used when not advertised != 2] : Died at /usr/local/cpanel/Cpanel/TailWatch/ChkServd.pm line 904, <$socket_scc> line 10. It's OK that the AUTH command is failing, but that's shouldn't be a reason to report exim as not working and restart it automagically. I believe this is a BUG in cpanel tailwatch monitor script for exim. Can you please let me know how to fix this? I guess that something more advanced to: auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} can be used, like "if tls_ciper and not localhost" or something like that but I am not that experienced with exim config yet.
    0
  • hanoii
    Again I think I sorted it out myself with: auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{nope}{*}} Please any cpanel staff, let me know if there's a better/recommended way of doing this.
    0
  • cPanelMichael
    Hello :) I believe the equivalent setting for Exim is found under the "Security" tab in "WHM Home " Service Configuration " Exim Configuration Manager": "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server." Per it's description: Enabling this option will significantly improve the security of the server by preventing the plaintext transmission of authentication credentials. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post