• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved PCI Compliance Resolver and Dovecot

Richard18

Basic Pleskian
I want to turn off plain text auth for POP3/IMAP, am I right in thinking that the following will only alter the setting I need? I'm using Dovecot.
plesk sbin pci_compliance_resolver --enable dovecot

This page: Tune Plesk to Meet PCI DSS on Linux has some information, but nothing specific, it just says the aht PCI Compliance Resolver "Sets disable_plaintext_auth = yes for Dovecot.", so if I only run it with "--enable dovecot" will it only change the settings for Dovecot?

Would be nice if that page listed exactly what the tool does for each service listed.
 
Thanks for confirming, that did indeed work!

I don't suppose you know exactly what "--enable postfix" does?

I wonder if it sets "smtpd_tls_auth_only=yes"?
 
Hi Richard18,

I don't suppose you know exactly what "--enable postfix" does?
You are able to investigate that all by yourself, by compairing your (backup) files with the new configuration files master.cf + main.cf

Example commands:
Code:
cp /etc/postfix/main.cf /etc/postfix/main.cf.backup
cp /etc/postfix/master.cf /etc/postfix/master.cf.backup

plesk sbin pci_compliance_resolver --enable postfix

diff main.cf main.cf.backup
diff master.cf master.cf.backup

If you don't like the changes, just delete the new configuration files and copy your backup - files to the origin names. ;)
 
I didn't want to assume the PCI compliance tool only changed those 2 files.

Something official from Plesk would be great!

However, thanks for your help, I'll try your suggestion!
 
After running : plesk sbin pci_compliance_resolver --enable postfix

The following changes are made to main.cf:
Code:
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
tls_ssl_options = no_compression
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem

Just like the PCI article says ;)

But, PLAIN AUTH was still available, it seems strange that the PCI tool disables plain text auth on other services (Dovecot, Courier), but not Postfix.
Code:
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

To disable PLAIN AUTH I still had to add the following to main.cf, which, to be fair, I could have done without running the PCI tool!
Code:
smtp_sasl_security_options = noanonymous, noplaintext 
smtp_sasl_tls_security_options = noanonymous 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous

The result:
Code:
250-AUTH DIGEST-MD5 CRAM-MD5
 
Back
Top