• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question How to fix cleartext IMAP / FTP

Edi Duluman

Edi Duluman

Basic Pleskian
Hello!

I am trying to be PCI Compliant on three servers and the latest scan ( when I thought I'm done ) tells me there are two issues to deal with:

Code: 
ftp receives cleartext password

Risk: High (3)
Port: 21/tcp
Protocol: tcp
Threat ID: ftp_clear

I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy


Code: 
imap receives cleartext password

Risk: High (3)
Port: 143/tcp
Protocol: tcp
Threat ID: mail_imap_clear

Information From Target:
Service: imap
Received:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
GET BAD Error in IMAP command received by server.
* BAD Error in IMAP command received by server.
* BYE Too many invalid IMAP commands.


Now, when it comes to IMAP, I already did the disable_plaintext_auth = yes setting in Dovecot, notice LOGINDISABLED before AUTH mechanisms.

I also ran the pci_compliance_resolver --enable dovecot ( and proftpd ), as well as the following in proftpd.conf

Code: 
    # common settings for all virtual hosts
    TLSEngine on
    TLSRequired on

Now I'm successfully connecting to FTP ( SSL/TLS Explicit Encryption ), port 21 ( configured PassivePorts, all works fine ) and if I'm tyring to connect with No Encryption it returns me this error which is normal behavior:

Code: 
Connection failed.
SSL/TLS required on the control channel

I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?

Can I have FTPS on another port so they don't cry about this one ? Or is it a bad solution ?

Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.

Thank you for reading all the way through.
 
Hi Edi Duluman,

Edi Duluman said:
I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy
Click to expand...
... and people willing to help you are confused, because the don't provide any configuration files from your server here, nor do you let us know, what operating system you use and last but not least, you don't even state, which Plesk version ( incl. MU ) you use.


Edi Duluman said:
I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?
Click to expand...
Sorry, but we are not able to answer such questions, or thoughts. These would just be shoots out of the blue, not based on facts. Pls. consider to ASK THEM, what configuration they expect and configure it based on their suggestions.

Edi Duluman said:
Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.
Click to expand...
... and again: Pls. don't let us guess, what other people might think or expect.


Btw.: Such PCI compliant test/scans are always based on THEIR documentations and this is a plesk-related forum. You are asking questions, whereby people who would like to help you with PLESK-RELATED questions, do not even have the opportunity to investigate their standards, due to the fact that we don't even know what company you are trying to work with. :rolleyes:
 
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this. I'll just try and get a hold of those guys at ControlScan, as they don't seem to reply.

Thanks.
 
Hi Edi Duluman,

Edi Duluman said:
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this.
Click to expand...
Sorry, Edi... my contribution is not to be considered as an offense or an attack, but you should know that you should pay attention to a few principles, as we use effort and time when we try to help Plesk users.
 
You must log in or register to reply here.

Similar threads

Gh()st
Issue Remote Storage FTP(S) Issue
Replies
1
Views
317
paulrm
P
C
Issue Errors with Plesk scheduled backups
Replies
2
Views
218
cmartinez127
C
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
2K
lberens
L
zwankie
Question Also allow non-SSL SMTP Connections
Replies
2
Views
1K
zwankie
zwankie
Endre
Issue Unable to access the remote backup storage using SFTP
Replies
6
Views
1K
Endre
Endre
Back
Top