The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable SMTP plain text authentication on non TLS port

Discussion in 'Security' started by hanoii, Sep 5, 2014.

  1. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I am aware of the setting for disabling plain text login on Dovehot in Mailserver configuration "Allow Plaintext Authentication (from remote clients)". But how the same thing can be done with SMTP?

    I want to disable plain text login without TLS as well, as this is preventing me to pass a PCI compliant scan.
     
  2. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I kind of sorted this out myself, by manually adding:

    auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

    To the Advanced configuration exim editor in WHM.

    Now it works, but now I am getting a constant email from tailwatch that exim is not working with the following reason:

    TCP Transaction Log:
    << 220-XXXX ESMTP Exim 4.82 #2 Fri, 05 Sep 2014 15:46:13 +0100
    <<
    <<
    >> EHLO localhost
    << 250-XXX Hello localhost [127.0.0.1]
    <<
    <<
    <<
    <<
    <<
    >> AUTH PLAIN XXXXXX
    << 503 AUTH command used when not advertised
    exim: ** [503 AUTH command used when not advertised != 2]
    : Died at /usr/local/cpanel/Cpanel/TailWatch/ChkServd.pm line 904, <$socket_scc> line 10.

    It's OK that the AUTH command is failing, but that's shouldn't be a reason to report exim as not working and restart it automagically. I believe this is a BUG in cpanel tailwatch monitor script for exim.

    Can you please let me know how to fix this?

    I guess that something more advanced to:
    auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

    can be used, like "if tls_ciper and not localhost" or something like that but I am not that experienced with exim config yet.
     
  3. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Again I think I sorted it out myself with:

    auth_advertise_hosts = localhost : ${if eq{$tls_cipher}{}{nope}{*}}

    Please any cpanel staff, let me know if there's a better/recommended way of doing this.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I believe the equivalent setting for Exim is found under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager":

    "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server."

    Per it's description:

    Enabling this option will significantly improve the security of the server by preventing the plaintext transmission of authentication credentials.

    Thank you.
     
Loading...

Share This Page