• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to fix cleartext IMAP / FTP

Edi Duluman

Edi Duluman

Basic Pleskian
Hello!

I am trying to be PCI Compliant on three servers and the latest scan ( when I thought I'm done ) tells me there are two issues to deal with:

Code: 
ftp receives cleartext password

Risk: High (3)
Port: 21/tcp
Protocol: tcp
Threat ID: ftp_clear

I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy


Code: 
imap receives cleartext password

Risk: High (3)
Port: 143/tcp
Protocol: tcp
Threat ID: mail_imap_clear

Information From Target:
Service: imap
Received:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
GET BAD Error in IMAP command received by server.
* BAD Error in IMAP command received by server.
* BYE Too many invalid IMAP commands.


Now, when it comes to IMAP, I already did the disable_plaintext_auth = yes setting in Dovecot, notice LOGINDISABLED before AUTH mechanisms.

I also ran the pci_compliance_resolver --enable dovecot ( and proftpd ), as well as the following in proftpd.conf

Code: 
    # common settings for all virtual hosts
    TLSEngine on
    TLSRequired on

Now I'm successfully connecting to FTP ( SSL/TLS Explicit Encryption ), port 21 ( configured PassivePorts, all works fine ) and if I'm tyring to connect with No Encryption it returns me this error which is normal behavior:

Code: 
Connection failed.
SSL/TLS required on the control channel

I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?

Can I have FTPS on another port so they don't cry about this one ? Or is it a bad solution ?

Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.

Thank you for reading all the way through.
 
Hi Edi Duluman,

Edi Duluman said:
I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy
Click to expand...
... and people willing to help you are confused, because the don't provide any configuration files from your server here, nor do you let us know, what operating system you use and last but not least, you don't even state, which Plesk version ( incl. MU ) you use.


Edi Duluman said:
I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?
Click to expand...
Sorry, but we are not able to answer such questions, or thoughts. These would just be shoots out of the blue, not based on facts. Pls. consider to ASK THEM, what configuration they expect and configure it based on their suggestions.

Edi Duluman said:
Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.
Click to expand...
... and again: Pls. don't let us guess, what other people might think or expect.


Btw.: Such PCI compliant test/scans are always based on THEIR documentations and this is a plesk-related forum. You are asking questions, whereby people who would like to help you with PLESK-RELATED questions, do not even have the opportunity to investigate their standards, due to the fact that we don't even know what company you are trying to work with. :rolleyes:
 
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this. I'll just try and get a hold of those guys at ControlScan, as they don't seem to reply.

Thanks.
 
Hi Edi Duluman,

Edi Duluman said:
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this.
Click to expand...
Sorry, Edi... my contribution is not to be considered as an offense or an attack, but you should know that you should pay attention to a few principles, as we use effort and time when we try to help Plesk users.
 
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
573
Yaroslav_T
Yaroslav_T
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
Gh()st
Issue Remote Storage FTP(S) Issue
Replies
1
Views
842
paulrm
P
C
Issue Errors with Plesk scheduled backups
Replies
2
Views
742
cmartinez127
C
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
3K
lberens
L
Back
Top