• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved PCI Compliance Resolver and Dovecot

R

Richard18

Basic Pleskian
I want to turn off plain text auth for POP3/IMAP, am I right in thinking that the following will only alter the setting I need? I'm using Dovecot.
plesk sbin pci_compliance_resolver --enable dovecot
Click to expand...

This page: Tune Plesk to Meet PCI DSS on Linux has some information, but nothing specific, it just says the aht PCI Compliance Resolver "Sets disable_plaintext_auth = yes for Dovecot.", so if I only run it with "--enable dovecot" will it only change the settings for Dovecot?

Would be nice if that page listed exactly what the tool does for each service listed.
 
Thanks for confirming, that did indeed work!

I don't suppose you know exactly what "--enable postfix" does?

I wonder if it sets "smtpd_tls_auth_only=yes"?
 
Hi Richard18,

Richard18 said:
I don't suppose you know exactly what "--enable postfix" does?
Click to expand...
You are able to investigate that all by yourself, by compairing your (backup) files with the new configuration files master.cf + main.cf

Example commands:
Code: 
cp /etc/postfix/main.cf /etc/postfix/main.cf.backup
cp /etc/postfix/master.cf /etc/postfix/master.cf.backup

plesk sbin pci_compliance_resolver --enable postfix

diff main.cf main.cf.backup
diff master.cf master.cf.backup

If you don't like the changes, just delete the new configuration files and copy your backup - files to the origin names. ;)
 
I didn't want to assume the PCI compliance tool only changed those 2 files.

Something official from Plesk would be great!

However, thanks for your help, I'll try your suggestion!
 
After running : plesk sbin pci_compliance_resolver --enable postfix

The following changes are made to main.cf:
Code: 
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
tls_ssl_options = no_compression
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem

Just like the PCI article says ;)

But, PLAIN AUTH was still available, it seems strange that the PCI tool disables plain text auth on other services (Dovecot, Courier), but not Postfix.
Code: 
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

To disable PLAIN AUTH I still had to add the following to main.cf, which, to be fair, I could have done without running the PCI tool!
Code: 
smtp_sasl_security_options = noanonymous, noplaintext 
smtp_sasl_tls_security_options = noanonymous 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous

The result:
Code: 
250-AUTH DIGEST-MD5 CRAM-MD5
 
You must log in or register to reply here.

Similar threads

S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
3K
scpcomp
S
B
Resolved How do I enable FTPS?
Replies
10
Views
2K
Kaspar
K
andreios
Issue Setting the default_client_limit value for dovecot by Plesk as specified by the instructions
Replies
3
Views
2K
Peter Debik
P
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
2K
EnriqueR
EnriqueR
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
9K
Alex Presland
Alex Presland
Back
Top