Question about Future SMTP Authentication Policies (Port 25 Block & Encryption Enforcement)
Dear cPanel Team,
I’m writing to inquire about potential upcoming changes to cPanel’s SMTP authentication policies. Recently, a competitor (D****A****) implemented server-level restrictions that:
-
Disable SMTP authentication on port 25 (reserving it exclusively for MTA-to-MTA communication).
-
Require encryption for SMTP authentication (blocking plain-text auth on all ports except localhost).
Their stated goals were to enhance security by separating client/server traffic, preventing credential brute-forcing on port 25, and eliminating accidental plain-text password exposure. While these changes are understandable from a security perspective, they caused significant disruption for unprepared users.
My question is: Does cPanel plan to implement similar restrictions (disabling auth on port 25 + enforcing encrypted auth) in the near future?
If so, we kindly request:
-
Advance notice in release notes/documentation.
-
Clear migration guidance for end-users.
-
An option (even if temporary) to revert or phase in changes.
Proactive communication would help us avoid service disruptions and customer dissatisfaction, as experienced with the competitor’s abrupt rollout. We fully support security hardening but need time to adapt client configurations.
Thank you for your transparency and ongoing support—it’s invaluable to administrators like us. I’m happy to clarify any part of this query.
Best regards,
-
Hey there! Let me reach out to the team and I'll get you more updates once I have them. At this point I'm not going to hear anything until tomorrow.
0 -
I reached out to the email team and there are currently not plans to implement these changes on our end. If we were to make such changes we'd be sure to communicate about them ahead of time so admins are aware they are coming.
1 -
Dear cPanel Team,
Thank you for the clarification regarding SMTP authentication changes—your commitment to transparency is greatly appreciated.
As a follow-up, I’d like to ask whether similar security-related restrictions are being considered for POP/IMAP authentication. Specifically, a competitor (D****A****) recently rolled out updates that:
-
Enforce encryption for POP/IMAP authentication, disallowing plain-text credentials unless over secure (SSL/TLS) connections.
-
Introduce server-side restrictions to ensure legacy or misconfigured clients cannot inadvertently expose credentials.
Given the recent changes in the industry, we want to proactively prepare for any similar policy updates that may affect mail client compatibility or end-user experience.
Could you please let us know:
-
Whether there are any current or future plans to implement POP/IMAP authentication restrictions?
-
If so, would cPanel follow the same responsible approach of advance notice and documentation as stated for SMTP changes?
As always, our goal is to align with best practices while minimizing unexpected disruptions for users.
Thank you again for your attention and ongoing support.
Best regards,
0 -
-
cPanel has supported this for YEARS :-)
In Exim Configuration, you have following option:
"Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" - which is enabled by default by the way.In Mailserver Configuration, you have equivalent option too:
Allow Plaintext Authentication (from remote clients) - which is also enabled by default.0 -
The competition also has supported this for YEARS.
Difference is that now with the new Exim and new Dovecot all security is enabled by default, so plaintext authentication from remote clients is also not possible anymore, without customisation.
Neither is smtp communication via port 25.
I think that is what he's talking about.
0
Please sign in to leave a comment.
Comments
5 comments