How to verify plain text logins are disabled
Hello!
I want to verify that plain text logins are disabled for Exim / Dovecot, etc. I setup Nessus and ran it on my server, but I didn't give it the IP address of 127.0.0.1 and I didn't give it a private IP address to scan. I gave it my public IP address.
I see stuff like this:
In WHM " Service Configuration " Exim Configuration Manager I have Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server set to On. I was under the impression that this would disable plain text authentication with Exim (port 465). I'm wondering if they're enabled for local connections. For example, because I'm running Nessus from the server I'm scanning, perhaps they're allowed, but if I were to run it from another network, they'd be disabled? Funny thing is, scanmyserver reports that plain text authentication is also enabled. How would I go about verifying this? Would it involve telneting to a certain port and typing some command? I've tried this: telneting to port 25 on my server. I see a blank screen. Then I type:
I changed the IP address so my home public IP address wouldn't be displayed. I'm not sure why the 500 unrecognized command came through. Maybe commands need to be capitalized? To me though, this says, at least for port 25, that plain text authentication is in fact disabled. If it wasn't, I'd think I'd see PLAIN AUTH listed. Is this correct? I SSH into the machine and run the command again, but using Linux's telnet program, from the actual server:
I see plain text login's are enabled. This makes me think my idea is correct. Is there anyway to change it so plain text logins are disabled, even when connecting to the local loopback interface? Now this is where things get a little weird. I login from my local Linux box:
Here, it would seem, on port 465, plain text logins are enabled. Port 465 is Exim. It seems the setting in Exim isn't working properly, or perhaps I'm misunderstanding how to disable plain text authentication. Finally, I have an SSL certificate and I'd like to make sure people connect to the secure ports, so long as it doesn't break anything. Is there away to block some of the non-SSL mail ports, without breaking incoming e-mail / outgoing email? I think port 25 might need to stay open. I think I remember reading that some wheres. But what about any of the other ports? Can I just block some of them at the firewall level and if so, what would be the good ones to block?
The SMTP server advertises the following SASL methods over an
unencrypted channel :
All supported methods : PLAIN, LOGIN
Cleartext methods : PLAIN, LOGIN
Port
25 / tcp / smtp
465 / tcp / smtp
587 / tcp / smtp
==============================
The following cleartext methods are supported :
USER
SASL PLAIN LOGIN
Port
110 / tcp / pop3
=========================================
The following authentication methods are advertised by the SMTP
server without encryption :
LOGIN
PLAIN
Port
25 / tcp / smtp
465 / tcp / smtp
587 / tcp / smtp
In WHM " Service Configuration " Exim Configuration Manager I have Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server set to On. I was under the impression that this would disable plain text authentication with Exim (port 465). I'm wondering if they're enabled for local connections. For example, because I'm running Nessus from the server I'm scanning, perhaps they're allowed, but if I were to run it from another network, they'd be disabled? Funny thing is, scanmyserver reports that plain text authentication is also enabled. How would I go about verifying this? Would it involve telneting to a certain port and typing some command? I've tried this: telneting to port 25 on my server. I see a blank screen. Then I type:
ehlo testing
220 franklin.example.com
500 unrecognized command
EHLO testing
250-franklin.example.com Hello cpe-255-50-256-183.stny.res.rr.com [255.50.256.183]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
I changed the IP address so my home public IP address wouldn't be displayed. I'm not sure why the 500 unrecognized command came through. Maybe commands need to be capitalized? To me though, this says, at least for port 25, that plain text authentication is in fact disabled. If it wasn't, I'd think I'd see PLAIN AUTH listed. Is this correct? I SSH into the machine and run the command again, but using Linux's telnet program, from the actual server:
[root@franklin ssh]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 franklin.example.com
ehlo testing
250-franklin.example.com Hello testing [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
I see plain text login's are enabled. This makes me think my idea is correct. Is there anyway to change it so plain text logins are disabled, even when connecting to the local loopback interface? Now this is where things get a little weird. I login from my local Linux box:
[root@eugene ssh]# openssl s_client -crlf -connect example.com:465
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.example.com
verify return:1
---
Certificate chain
0 s:/CN=www.example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF0jCCBLqgAwIBAgISAyEEECIHhsKsby3FuWj44Q5xMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MjYxOTMwMDBaFw0x
NzA5MjQxOTMwMDBaMBkxFzAVBgNVBAMTDnd3dy5qZXRiYnMuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4FpFR4pP1WvPgt2+kJ9Ki6Pf2o3822+
YogQU0MiXGXJGKsp3uEmbhIFcceHp9jja5ZbsT1VGWRkNSNqkiuiny/JO0a3aguU
DXwzvmFy3SuaE7DEMfRnPIcjX6mq8hcOdq+HzJBcGa3lj47juUgOj87atkSv+rVn
4ZfOa/W2qN9GEEOHOtcjtR7K70i6ST1tg0+IcXRROJ9iia2l5kNGKLslbCxtb0nf
s0Br2Fk2UutaGF1Q6soSKu/L6d8GaEC/ZeN7XiIEUCtZ31FdFp3w6l0osO6ObHHb
figW0rPaUxT6t9+sYjJL6OVOllAmApM0IotN/HCrgWo4GD5mMarMOwIDAQABo4IC
4TCCAt0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRrFxXWORkz4UM16/suETCHTEQP
PDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMIHYBgNVHREEgdAwgc2CEWNwYW5lbC5qZXRiYnMuY29tghZjcGNhbGVuZGFy
cy5qZXRiYnMuY29tghVjcGNvbnRhY3RzLmpldGJicy5jb22CE2ZyYW5rbGluLmpl
dGJicy5jb22CD2lwdjQuamV0YmJzLmNvbYIPaXB2Ni5qZXRiYnMuY29tggpqZXRi
YnMuY29tghJ3ZWJkaXNrLmpldGJicy5jb22CEndlYm1haWwuamV0YmJzLmNvbYIO
d2htLmpldGJicy5jb22CDnd3dy5qZXRiYnMuY29tMBEGCCsGAQUFBwEYBAUwAwIB
BTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBY+DiQTYg2dH9v
1H0JiFkeDx6DskykKwHfDUWWbATYAgsiYlyYLZBWmXWeiXt7S6XSDB6DSHk+IPWs
gN+R++8MUYSaQNkBEyIFWK2+zpoh7Y8NkGIFCx1lSWYiFrhwwjGScrz5Mu1YGXVv
EypTHLddp5v5hRvBoXngP8pzesAs8WYMB/hSNxkPqJzosMtPfGQQxR8zpvR8MP8i
64MLZ62PsNmptoxvM8DjaL6eY6IMN84efaBNeBu9nsL8XJ0+Umag6nmoRPWAV2DS
lRtRlueC3mMgYy+0d7IMclAtnHMujY/SrRqp/FAoShRUkaefL/UbtbIWlUvlBoF8
9Wg6B18J
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3330 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: BC758D71A5957AC9CE356DB27EEF5DD38B56DA2AFA02349310D79087305AF058
Session-ID-ctx:
Master-Key: D62560A598D1964DD9047D784ECAFD840D23584DA9A3E2808565970C6A851D805CD368FF0498E961B0DE7B781E0D77D3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 200 (seconds)
TLS session ticket:
0000 - c6 f3 cb db 05 a4 75 e5-a5 b7 5e 0c d1 0d 8b de ......u...^.....
0010 - 5a 05 ef 8f 30 ea e7 07-30 3a 15 05 20 c9 3b 80 Z...0...0:.. .;.
0020 - de d9 e6 ea 00 b9 02 da-f1 20 ec eb bd ba 24 3a ......... ....$:
0030 - f8 20 ab 90 b5 61 38 e8-ea 1d 1c f5 77 1a 78 82 . ...a8.....w.x.
0040 - 06 fa 3f 0f bb 85 e6 3a-fb b0 88 51 bf 5d 5c ae ..?....:...Q.]\.
0050 - 4e 56 8e 85 5d ef 5f a8-2b 7f c3 b8 e2 49 f5 ad NV..]._.+....I..
0060 - d7 4f 73 28 64 bf 70 93-29 af 88 19 41 2c 60 4a .Os(d.p.)...A,`J
0070 - 98 9b 1c 51 25 7b 71 48-52 bc 08 02 19 5e 8f b7 ...Q%{qHR....^..
0080 - 14 01 40 5a e3 04 83 bf-b8 f4 3b e7 21 98 ed 6a ..@Z......;.!..j
0090 - a6 58 ab 0f 91 67 00 61-58 ae 67 14 4f d4 52 93 .X...g.aX.g.O.R.
Start Time: 1500170254
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 franklin.example.com
ehlo spork.net
250-franklin.example.com Hello spork.net []
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
exit
Here, it would seem, on port 465, plain text logins are enabled. Port 465 is Exim. It seems the setting in Exim isn't working properly, or perhaps I'm misunderstanding how to disable plain text authentication. Finally, I have an SSL certificate and I'd like to make sure people connect to the secure ports, so long as it doesn't break anything. Is there away to block some of the non-SSL mail ports, without breaking incoming e-mail / outgoing email? I think port 25 might need to stay open. I think I remember reading that some wheres. But what about any of the other ports? Can I just block some of them at the firewall level and if so, what would be the good ones to block?
-
Ultimately, if I could do it without breaking incoming or outgoing mail, I'd like to force connections to the secure ports only and disable the non-secure ones. That way, if I understand everything correctly, they wouldn't have the option of using starttls. They'd automatically be connecting with a secure connection and there will never be plain text sent. 0 -
Hello, The following option is available in "WHM >> Mailserver Configuration": Allow Plaintext Authentication (from remote clients) Per it's description: This setting will allow remote email clients to authenticate using unencrypted connections. When set to "no", only connections originating on the local server will be allowed to authenticate without encryption. Selecting "no" is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly. As far as Exim, there's some discussion from your thread from December that relates to this topic: Disabling STARTTLS for IMAP services. Additionally, you may find this document and thread helpful: 42. Encrypted SMTP connections using TLS/SSL change port 25 Thank you. 0 -
Okay, thank you. I think what makes this hard is I have trouble with my memory and I have to constantly look back to see what uses what ports. For example, in WHM, the "WHM >> Service Configuration >> Mailserver Configuration", I have to look to see if that's Exim or Dovecot (it's Dovecot), then I have to back and see what ports Dovecot uses (from my notes, I see that's port 110, 143, 993, and 995). It's even gets a bit more confusing because in the Mailserver Configuration, that setting only blocks plain text authentication for remote connections, not local connections. I'm sure there's a way I could probably block them for local connections as well, but I wonder if that would break anything with cPanel. I will read the threads you linked me to and see if I can figure out how to do what I want to do. Thank you. 0 -
I'm sure there's a way I could probably block them for local connections as well, but I wonder if that would break anything with cPanel.
Disabling the local connection attempts will prevent webmail from working. Thank you.0
Please sign in to leave a comment.
Comments
4 comments