• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question How to fix cleartext IMAP / FTP

Edi Duluman

Edi Duluman

Basic Pleskian
Hello!

I am trying to be PCI Compliant on three servers and the latest scan ( when I thought I'm done ) tells me there are two issues to deal with:

Code: 
ftp receives cleartext password

Risk: High (3)
Port: 21/tcp
Protocol: tcp
Threat ID: ftp_clear

I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy


Code: 
imap receives cleartext password

Risk: High (3)
Port: 143/tcp
Protocol: tcp
Threat ID: mail_imap_clear

Information From Target:
Service: imap
Received:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
GET BAD Error in IMAP command received by server.
* BAD Error in IMAP command received by server.
* BYE Too many invalid IMAP commands.


Now, when it comes to IMAP, I already did the disable_plaintext_auth = yes setting in Dovecot, notice LOGINDISABLED before AUTH mechanisms.

I also ran the pci_compliance_resolver --enable dovecot ( and proftpd ), as well as the following in proftpd.conf

Code: 
    # common settings for all virtual hosts
    TLSEngine on
    TLSRequired on

Now I'm successfully connecting to FTP ( SSL/TLS Explicit Encryption ), port 21 ( configured PassivePorts, all works fine ) and if I'm tyring to connect with No Encryption it returns me this error which is normal behavior:

Code: 
Connection failed.
SSL/TLS required on the control channel

I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?

Can I have FTPS on another port so they don't cry about this one ? Or is it a bad solution ?

Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.

Thank you for reading all the way through.
 
Hi Edi Duluman,

Edi Duluman said:
I am confused on the FTP problem because I already checked Allow only Secure FTP connections in Tools & Settings > Security Policy
Click to expand...
... and people willing to help you are confused, because the don't provide any configuration files from your server here, nor do you let us know, what operating system you use and last but not least, you don't even state, which Plesk version ( incl. MU ) you use.


Edi Duluman said:
I tend to think, since they say "FTP is a cleartext protocol", they probably mean I should not have the port open. But that makes me wonder, how am I supposed to connect to my server's files if FTP is down ?
Click to expand...
Sorry, but we are not able to answer such questions, or thoughts. These would just be shoots out of the blue, not based on facts. Pls. consider to ASK THEM, what configuration they expect and configure it based on their suggestions.

Edi Duluman said:
Please tell me what you think, I'm running out of ideas, as I tend to think they don't even bother checking if I allow only encrypted connections via port 21. Guess they just check the port, assume it's unencrypted and that's it.
Click to expand...
... and again: Pls. don't let us guess, what other people might think or expect.


Btw.: Such PCI compliant test/scans are always based on THEIR documentations and this is a plesk-related forum. You are asking questions, whereby people who would like to help you with PLESK-RELATED questions, do not even have the opportunity to investigate their standards, due to the fact that we don't even know what company you are trying to work with. :rolleyes:
 
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this. I'll just try and get a hold of those guys at ControlScan, as they don't seem to reply.

Thanks.
 
Hi Edi Duluman,

Edi Duluman said:
OK. I'm actually feeling bad asking for help. No need to make me feel like I killed anyone by posting this.
Click to expand...
Sorry, Edi... my contribution is not to be considered as an offense or an attack, but you should know that you should pay attention to a few principles, as we use effort and time when we try to help Plesk users.
 
You must log in or register to reply here.

Similar threads

R
Issue Unable to connect to FTP via
Replies
4
Views
688
kilowhisky65
K
B
Resolved How do I enable FTPS?
Replies
10
Views
996
Kaspar
K
Boas Simon
Resolved Dovecot IMAP issues with Plesk Premium Email (Kolab)
Replies
7
Views
12K
Kaspar@Plesk
Kaspar@Plesk
A
Issue FTP - Insecure server, it does not support FTP over TLS.
Replies
3
Views
590
Alban Staehli
A
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
386
Polli
Polli
Back
Top