Welcome Guest. Please Login or Register  
Client Area  |  Softaculous Cloud  |  Calendar  |  Quick Links  |  
   


You are here: Index > Webuzo > General Support > Topic : Disable Cleartext Login on port 587 tcp submission



Threaded Mode | Print  

 Disable Cleartext Login on port 587 tcp submission (2 Replies, Read 12009 times)
peopleinside
Posted on # January 2, 2016, 10:27 pm
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		The SMTP server advertises the following SASL methods over an unencrypted channel:

All supported methods: LOGIN, PLAIN

Cleartext methods: LOGIN, PLAIN

Recommended Solution:


 
  Configure the service to support less secure authentication mechanisms only over an encrypted channel.
 

Impact:


 
  An attacker may be able to uncover user names and passwords by
sniffing traffic to the server if a less secure authentication mechanism
(i.e.  LOGIN or PLAIN) is used.
 

How to fix this?
How to secure Dovecot or Exim to disable that insecure login plain?
Thanks


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Disable Cleartext Login on port 587 tcp submission
valley
Posted on # January 19, 2016, 6:03 pm | Post: 1
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
The Dovercot Sieve plugin can be implemented to overcome this.

You can try tweaking the Dovecot configurations for once,

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Disable Cleartext Login on port 587 tcp submission
peopleinside
Posted on # January 19, 2016, 6:08 pm | Post: 2
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Solution is more simple:

You can add the same under:

Ubuntu: /etc/exim4/exim4.conf.template (UBUNTU) or

CentOS: /etc/exim.conf



Search for string "dovecot_" and then add below mentioned property at the bottom of every dovecot drivers:



-------------

server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

-------------



After making the changes do:

Ubuntu: update-exim.conf and service exim4 restart

CentOS: service exim restart



The above changes will only advertise auth when the connection is secure.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is April 24, 2024, 2:26 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.020