Disable SMTP plain text authentication on non TLS port

hanoii

Member
Oct 15, 2010
10
0
51
Hi,

I am aware of the setting for disabling plain text login on Dovehot in Mailserver configuration "Allow Plaintext Authentication (from remote clients)". But how the same thing can be done with SMTP?

I want to disable plain text login without TLS as well, as this is preventing me to pass a PCI compliant scan.
 

hanoii

Member
Oct 15, 2010
10
0
51
I kind of sorted this out myself, by manually adding:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

To the Advanced configuration exim editor in WHM.

Now it works, but now I am getting a constant email from tailwatch that exim is not working with the following reason:

TCP Transaction Log:
<< 220-XXXX ESMTP Exim 4.82 #2 Fri, 05 Sep 2014 15:46:13 +0100
<<
<<
>> EHLO localhost
<< 250-XXX Hello localhost [127.0.0.1]
<<
<<
<<
<<
<<
>> AUTH PLAIN XXXXXX
<< 503 AUTH command used when not advertised
exim: ** [503 AUTH command used when not advertised != 2]
: Died at /usr/local/cpanel/Cpanel/TailWatch/ChkServd.pm line 904, <$socket_scc> line 10.

It's OK that the AUTH command is failing, but that's shouldn't be a reason to report exim as not working and restart it automagically. I believe this is a BUG in cpanel tailwatch monitor script for exim.

Can you please let me know how to fix this?

I guess that something more advanced to:
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

can be used, like "if tls_ciper and not localhost" or something like that but I am not that experienced with exim config yet.
 

hanoii

Member
Oct 15, 2010
10
0
51
Again I think I sorted it out myself with:

auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{nope}{*}}

Please any cpanel staff, let me know if there's a better/recommended way of doing this.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Hello :)

I believe the equivalent setting for Exim is found under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager":

"Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server."

Per it's description:

Enabling this option will significantly improve the security of the server by preventing the plaintext transmission of authentication credentials.

Thank you.