The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to verify plain text logins are disabled

Discussion in 'E-mail Discussions' started by Spork Schivago, Jul 15, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello!

    I want to verify that plain text logins are disabled for Exim / Dovecot, etc. I setup Nessus and ran it on my server, but I didn't give it the IP address of 127.0.0.1 and I didn't give it a private IP address to scan. I gave it my public IP address.

    I see stuff like this:

    Code:
    The SMTP server advertises the following SASL methods over an
    unencrypted channel :
    
      All supported methods : PLAIN, LOGIN
      Cleartext methods     : PLAIN, LOGIN
    
    
    Port
    25 / tcp / smtp
    465 / tcp / smtp
    587 / tcp / smtp
    
    ==============================
    The following cleartext methods are supported :
    USER
    SASL PLAIN LOGIN
    
    
    Port
    110 / tcp / pop3
    
    =========================================
    The following authentication methods are advertised by the SMTP
    server without encryption :
      LOGIN
      PLAIN
    
    
    Port
    25 / tcp / smtp
    465 / tcp / smtp
    587 / tcp / smtp
    
    In WHM » Service Configuration » Exim Configuration Manager

    I have Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server set to On. I was under the impression that this would disable plain text authentication with Exim (port 465).

    I'm wondering if they're enabled for local connections. For example, because I'm running Nessus from the server I'm scanning, perhaps they're allowed, but if I were to run it from another network, they'd be disabled? Funny thing is, scanmyserver reports that plain text authentication is also enabled. How would I go about verifying this? Would it involve telneting to a certain port and typing some command?

    I've tried this:
    telneting to port 25 on my server. I see a blank screen. Then I type:
    Code:
    ehlo testing
    220 franklin.example.com
    500 unrecognized command
    EHLO testing
    250-franklin.example.com Hello cpe-255-50-256-183.stny.res.rr.com [255.50.256.183]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-STARTTLS
    250 HELP
    
    I changed the IP address so my home public IP address wouldn't be displayed. I'm not sure why the 500 unrecognized command came through. Maybe commands need to be capitalized? To me though, this says, at least for port 25, that plain text authentication is in fact disabled. If it wasn't, I'd think I'd see PLAIN AUTH listed. Is this correct?

    I SSH into the machine and run the command again, but using Linux's telnet program, from the actual server:
    Code:
    [root@franklin ssh]# telnet 127.0.0.1 25
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    220 franklin.example.com
    ehlo testing
    250-franklin.example.com Hello testing [127.0.0.1]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    
    I see plain text login's are enabled. This makes me think my idea is correct.

    Is there anyway to change it so plain text logins are disabled, even when connecting to the local loopback interface?


    Now this is where things get a little weird. I login from my local Linux box:
    Code:
    [root@eugene ssh]# openssl s_client -crlf -connect example.com:465
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = www.example.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=www.example.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIF0jCCBLqgAwIBAgISAyEEECIHhsKsby3FuWj44Q5xMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MjYxOTMwMDBaFw0x
    NzA5MjQxOTMwMDBaMBkxFzAVBgNVBAMTDnd3dy5qZXRiYnMuY29tMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4FpFR4pP1WvPgt2+kJ9Ki6Pf2o3822+
    YogQU0MiXGXJGKsp3uEmbhIFcceHp9jja5ZbsT1VGWRkNSNqkiuiny/JO0a3aguU
    DXwzvmFy3SuaE7DEMfRnPIcjX6mq8hcOdq+HzJBcGa3lj47juUgOj87atkSv+rVn
    4ZfOa/W2qN9GEEOHOtcjtR7K70i6ST1tg0+IcXRROJ9iia2l5kNGKLslbCxtb0nf
    s0Br2Fk2UutaGF1Q6soSKu/L6d8GaEC/ZeN7XiIEUCtZ31FdFp3w6l0osO6ObHHb
    figW0rPaUxT6t9+sYjJL6OVOllAmApM0IotN/HCrgWo4GD5mMarMOwIDAQABo4IC
    4TCCAt0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
    BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRrFxXWORkz4UM16/suETCHTEQP
    PDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
    MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
    cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
    cmcvMIHYBgNVHREEgdAwgc2CEWNwYW5lbC5qZXRiYnMuY29tghZjcGNhbGVuZGFy
    cy5qZXRiYnMuY29tghVjcGNvbnRhY3RzLmpldGJicy5jb22CE2ZyYW5rbGluLmpl
    dGJicy5jb22CD2lwdjQuamV0YmJzLmNvbYIPaXB2Ni5qZXRiYnMuY29tggpqZXRi
    YnMuY29tghJ3ZWJkaXNrLmpldGJicy5jb22CEndlYm1haWwuamV0YmJzLmNvbYIO
    d2htLmpldGJicy5jb22CDnd3dy5qZXRiYnMuY29tMBEGCCsGAQUFBwEYBAUwAwIB
    BTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
    KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
    AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
    YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
    aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
    cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBY+DiQTYg2dH9v
    1H0JiFkeDx6DskykKwHfDUWWbATYAgsiYlyYLZBWmXWeiXt7S6XSDB6DSHk+IPWs
    gN+R++8MUYSaQNkBEyIFWK2+zpoh7Y8NkGIFCx1lSWYiFrhwwjGScrz5Mu1YGXVv
    EypTHLddp5v5hRvBoXngP8pzesAs8WYMB/hSNxkPqJzosMtPfGQQxR8zpvR8MP8i
    64MLZ62PsNmptoxvM8DjaL6eY6IMN84efaBNeBu9nsL8XJ0+Umag6nmoRPWAV2DS
    lRtRlueC3mMgYy+0d7IMclAtnHMujY/SrRqp/FAoShRUkaefL/UbtbIWlUvlBoF8
    9Wg6B18J
    -----END CERTIFICATE-----
    subject=/CN=www.example.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3330 bytes and written 373 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: BC758D71A5957AC9CE356DB27EEF5DD38B56DA2AFA02349310D79087305AF058
        Session-ID-ctx:
        Master-Key: D62560A598D1964DD9047D784ECAFD840D23584DA9A3E2808565970C6A851D805CD368FF0498E961B0DE7B781E0D77D3
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 200 (seconds)
        TLS session ticket:
        0000 - c6 f3 cb db 05 a4 75 e5-a5 b7 5e 0c d1 0d 8b de   ......u...^.....
        0010 - 5a 05 ef 8f 30 ea e7 07-30 3a 15 05 20 c9 3b 80   Z...0...0:.. .;.
        0020 - de d9 e6 ea 00 b9 02 da-f1 20 ec eb bd ba 24 3a   ......... ....$:
        0030 - f8 20 ab 90 b5 61 38 e8-ea 1d 1c f5 77 1a 78 82   . ...a8.....w.x.
        0040 - 06 fa 3f 0f bb 85 e6 3a-fb b0 88 51 bf 5d 5c ae   ..?....:...Q.]\.
        0050 - 4e 56 8e 85 5d ef 5f a8-2b 7f c3 b8 e2 49 f5 ad   NV..]._.+....I..
        0060 - d7 4f 73 28 64 bf 70 93-29 af 88 19 41 2c 60 4a   .Os(d.p.)...A,`J
        0070 - 98 9b 1c 51 25 7b 71 48-52 bc 08 02 19 5e 8f b7   ...Q%{qHR....^..
        0080 - 14 01 40 5a e3 04 83 bf-b8 f4 3b e7 21 98 ed 6a   ..@Z......;.!..j
        0090 - a6 58 ab 0f 91 67 00 61-58 ae 67 14 4f d4 52 93   .X...g.aX.g.O.R.
    
        Start Time: 1500170254
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    220 franklin.example.com
    ehlo spork.net
    250-franklin.example.com Hello spork.net [<home IP address>]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250 HELP
    exit
    
    Here, it would seem, on port 465, plain text logins are enabled. Port 465 is Exim. It seems the setting in Exim isn't working properly, or perhaps I'm misunderstanding how to disable plain text authentication.

    Finally, I have an SSL certificate and I'd like to make sure people connect to the secure ports, so long as it doesn't break anything. Is there away to block some of the non-SSL mail ports, without breaking incoming e-mail / outgoing email? I think port 25 might need to stay open. I think I remember reading that some wheres. But what about any of the other ports? Can I just block some of them at the firewall level and if so, what would be the good ones to block?
     
    #1 Spork Schivago, Jul 15, 2017
    Last edited: Jul 15, 2017
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Ultimately, if I could do it without breaking incoming or outgoing mail, I'd like to force connections to the secure ports only and disable the non-secure ones. That way, if I understand everything correctly, they wouldn't have the option of using starttls. They'd automatically be connecting with a secure connection and there will never be plain text sent.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The following option is available in "WHM >> Mailserver Configuration":

    Allow Plaintext Authentication (from remote clients)

    Per it's description:

    This setting will allow remote email clients to authenticate using unencrypted connections. When set to “no”, only connections originating on the local server will be allowed to authenticate without encryption. Selecting “no” is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly.

    As far as Exim, there's some discussion from your thread from December that relates to this topic:

    Disabling STARTTLS for IMAP services.

    Additionally, you may find this document and thread helpful:

    42. Encrypted SMTP connections using TLS/SSL
    change port 25

    Thank you.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Okay, thank you.

    I think what makes this hard is I have trouble with my memory and I have to constantly look back to see what uses what ports. For example, in WHM, the "WHM >> Service Configuration >> Mailserver Configuration", I have to look to see if that's Exim or Dovecot (it's Dovecot), then I have to back and see what ports Dovecot uses (from my notes, I see that's port 110, 143, 993, and 995).

    It's even gets a bit more confusing because in the Mailserver Configuration, that setting only blocks plain text authentication for remote connections, not local connections. I'm sure there's a way I could probably block them for local connections as well, but I wonder if that would break anything with cPanel.

    I will read the threads you linked me to and see if I can figure out how to do what I want to do.

    Thank you.
     
    #4 Spork Schivago, Jul 18, 2017
    Last edited: Jul 18, 2017
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Disabling the local connection attempts will prevent webmail from working.

    Thank you.
     
    Spork Schivago likes this.
Loading...

Share This Page