Force TLS authentication by SMTP - Plesk with submission
Force TLS authentication by SMTP - Plesk with submission
Hello,
I am using PLESK 8.3 with "Enable message submission" ON and Set "Relaying" to CLOSED. Everything works just fine, but I want to force my SMTP users to use TLS encryption only and block them using just simple PLAIN authentification. I read about setting FORCE_TLS=1 on some QMAIL sites (http://qmail.jms1.net/), but I am not sure where to set it, not to conflict with PLESK.
Thank you.
Adrik
I am using PLESK 8.3 with "Enable message submission" ON and Set "Relaying" to CLOSED. Everything works just fine, but I want to force my SMTP users to use TLS encryption only and block them using just simple PLAIN authentification. I read about setting FORCE_TLS=1 on some QMAIL sites (http://qmail.jms1.net/), but I am not sure where to set it, not to conflict with PLESK.
Thank you.
Adrik
Hello scott,
I have already tried this, but without effect.
It looks like xinetd is ignoring this setting
Adrik
I have already tried this, but without effect.
Code: Select all
service submission
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = qmaild
instances = UNLIMITED
env = SUBMISSION=1 SMTPAUTH=1 FORCE_TLS=1
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/
qmail/bin/true
}
Adrik
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Yeah, you'll probably need to build your own qmail with the patch on that page you linked to. If you want to go that route check out http://kb.swsoft.com/en/1161
Lemonbit Internet Dedicated Server Management
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
You know that could be in the smtp_auth piece, take a look at /etc/xinetd.d/submission_psa
service submission
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = qmaild
instances = UNLIMITED
env = SUBMISSION=1 SMTPAUTH=1
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}
And for your diet-coke way of "forcing TLS".. do that to smtps_psa, and just make everyone use port 465.
service submission
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = qmaild
instances = UNLIMITED
env = SUBMISSION=1 SMTPAUTH=1
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}
And for your diet-coke way of "forcing TLS".. do that to smtps_psa, and just make everyone use port 465.
Thank you,
till now I did not find the solution.
My goal is to allow only encrypted authorization methods for SMTP. No encrypted authorization should be blocked. (LOGIN, PLAIN). Doesnt matter if it is SSL or TLS.
I have already tried it with SSL, but I did not find the solution as well. I can allow SMTP authorisation in Plesk by setting Relay options to : "authorization is required - SMTP". SSL ist working fine, but the PLAIN authorisation is working also. I dont like it, if anybody can see the password with nmap. Anyway, most of my clients are using the same password form mail/ftp/ssh.
Adrik
till now I did not find the solution.
My goal is to allow only encrypted authorization methods for SMTP. No encrypted authorization should be blocked. (LOGIN, PLAIN). Doesnt matter if it is SSL or TLS.
I have already tried it with SSL, but I did not find the solution as well. I can allow SMTP authorisation in Plesk by setting Relay options to : "authorization is required - SMTP". SSL ist working fine, but the PLAIN authorisation is working also. I dont like it, if anybody can see the password with nmap. Anyway, most of my clients are using the same password form mail/ftp/ssh.
Adrik
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Assuming they're hitting the SSL SMTP port (465), the entire session is encrypted. With 25 and 587, as soon as they issue the STARTTLS command the session would also be encrypted.
Provided your users are hitting 465, then intercepting the users password will not be an issue. You should also ensure that your imap/pop connections are also using the SSL ports (993 and 995 respectively), and that your certificates on SMTP and IMAP/SSL are not using the plesk defaults.
Provided your users are hitting 465, then intercepting the users password will not be an issue. You should also ensure that your imap/pop connections are also using the SSL ports (993 and 995 respectively), and that your certificates on SMTP and IMAP/SSL are not using the plesk defaults.
Hello Scott,
thank you for your information. The SSL is working for me fine, exactly as you write. That is no problem for me. The problem is that my user can still use PLAIN (NO TLS) configuration to authentificate with SMTP for relaying using port 25. Of course they can use also TLS (25) and SSL (465). That is OK for me. My object is to DISABLE "No TLS" (PLAIN) SMTP authentification for relaying on port 25 and force my user to set the mail client accordingly to use TLS (25) or SSL (465) with SMTP. Any idea how can I do it?
I dont have the problem to block my users using POP3 and IMAP. I can let the Plesk config as it is and simple block the ports with firewall accordingly. Then they are forced to config their mail clients to use POP3S and IMAPS accordingly.
Thank you.
Adrik
thank you for your information. The SSL is working for me fine, exactly as you write. That is no problem for me. The problem is that my user can still use PLAIN (NO TLS) configuration to authentificate with SMTP for relaying using port 25. Of course they can use also TLS (25) and SSL (465). That is OK for me. My object is to DISABLE "No TLS" (PLAIN) SMTP authentification for relaying on port 25 and force my user to set the mail client accordingly to use TLS (25) or SSL (465) with SMTP. Any idea how can I do it?
I dont have the problem to block my users using POP3 and IMAP. I can let the Plesk config as it is and simple block the ports with firewall accordingly. Then they are forced to config their mail clients to use POP3S and IMAPS accordingly.
Thank you.
Adrik