SMTP and POP3 Service Clear text Login Permitted debian server How do I Disable the plaintext authentication methods on my SMTP server for unencrypted (non-SSL/TLS) sessions. how do I use more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5?
these files should not allow plain text login debian_dovecot.conf.master sasl_smtpd.conf.master this is a security issue: Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as an open mail relay. It may also lead to compromise of account credentials that can be used to access other mail services like POP3 and IMAP.
Are you sure plain text is allowed? I thought settingup following Perfect Server guide disabled it. Won't using certificate make traffic including login encrypted?
login method should not be plain, as it shows below. Something much better is CRAM-MD5 or DIGEST-MD5 Code: dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=15961,
As @Taleman said, PLAIN authentication over ssl/tls will also stop anyone sniffing passwords. For dovecot use disable_plaintext_auth=yes, and for postfix set both 'smtpd_sasl_security_options = noanonymous, noplaintext' and 'smtpd_sasl_tls_security_options = noanonymous'
