TLS enabled only for smtp/pop3 and imap

[Peter Larsen]

Hi

So, I want to be able to configure exim and other mailservices to only use SSL/TLS on a connection. No open connections, no fallback to open connections

so basicly, if you can't do SSL/TLS, I don't want your email.

so, if a remote server tries to deliver an email without using STARTTLS, it should not be able to do so.

clients should not be allowed to connect without SSL enabled to pop3 or imap

Any hints? Manuel configuration altering?

 

[cPanelLauren]

Hi @Peter Larsen


This shouldn't be difficult to set up if you go to WHM>>Server Configuration>>Mailserver Configuration -> Allow Plaintext Authentication (from remote clients) and set it to no. When set to “no”, only connections originating on the local server will be allowed to authenticate without encryption. Selecting “no” is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly.

Thanks!

 

[Peter Larsen]

Hi Lauren

thanks for your reply, this seems to a solution for imap/pop3, it was already enabled as described, so i just need to test it.

we also need to force TLS on all SMTP connections, so eg if someone on gmail.com writes an email for domæne.dk (on my server), the SMTP session will be encrypted with TLS from gmail to us.

if gmail.com was not TLS enabled SMTP host, I want my cpanel server not to accept (not even try) to receive the message.

any advice on configuration for that?

 

[cPanelLauren]

Hi @Peter Larsen


That setting should be set to NO not enabled - Meaning you would NOT like to accept any non encrypted connections. It disallows any unencrypted transmission through your server which means that your server will reject any connection attempts not over TLS and by default cPanel does not accept encrypted connections using any protocol but TLS.

 

[Peter Larsen]

Hi @Peter Larsen


That setting should be set to NO not enabled - Meaning you would NOT like to accept any non encrypted connections. It disallows any unencrypted transmission through your server which means that your server will reject any connection attempts not over TLS and by default cPanel does not accept encrypted connections using any protocol but TLS.

I'm sorry, i'm disagreeing

this is a dovecot setting for IMAP/POP3 Authentication

While it might cover SMTP Authentication (would make sense), it does not cover server to server communication on SMTP, since such communication is without Authentication.

 

[cPanelMichael]

Hello @Peter Larsen,

I believe the following option under the Security tab in WHM >> Exim Configuration Manager >> Basic Configuration is what you are looking for:

Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.

It's enabled by default to prevent the plaintext transmission of authentication credentials.

Let me know if this helps.

Thank you.