Resolved PCI Compliance Resolver and Dovecot

[Richard18]

I want to turn off plain text auth for POP3/IMAP, am I right in thinking that the following will only alter the setting I need? I'm using Dovecot.

plesk sbin pci_compliance_resolver --enable dovecot

This page: Tune Plesk to Meet PCI DSS on Linux has some information, but nothing specific, it just says the aht PCI Compliance Resolver "Sets disable_plaintext_auth = yes for Dovecot.", so if I only run it with "--enable dovecot" will it only change the settings for Dovecot?

Would be nice if that page listed exactly what the tool does for each service listed.

 

[UFHH01]

Hi Richard18,

so if I only run it with "--enable dovecot" will it only change the settings for Dovecot?

Correct.

 

[Richard18]

Thanks for confirming, that did indeed work!

I don't suppose you know exactly what "--enable postfix" does?

I wonder if it sets "smtpd_tls_auth_only=yes"?

 

[UFHH01]

Hi Richard18,

I don't suppose you know exactly what "--enable postfix" does?

You are able to investigate that all by yourself, by compairing your (backup) files with the new configuration files master.cf + main.cf

Example commands:

cp /etc/postfix/main.cf /etc/postfix/main.cf.backup
cp /etc/postfix/master.cf /etc/postfix/master.cf.backup

plesk sbin pci_compliance_resolver --enable postfix

diff main.cf main.cf.backup
diff master.cf master.cf.backup

If you don't like the changes, just delete the new configuration files and copy your backup - files to the origin names. ​

 

[Richard18]

I didn't want to assume the PCI compliance tool only changed those 2 files.

Something official from Plesk would be great!

However, thanks for your help, I'll try your suggestion!

 

[Richard18]

After running : plesk sbin pci_compliance_resolver --enable postfix

The following changes are made to main.cf:

tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
tls_ssl_options = no_compression
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem

Just like the PCI article says

But, PLAIN AUTH was still available, it seems strange that the PCI tool disables plain text auth on other services (Dovecot, Courier), but not Postfix.

250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

To disable PLAIN AUTH I still had to add the following to main.cf, which, to be fair, I could have done without running the PCI tool!

smtp_sasl_security_options = noanonymous, noplaintext 
smtp_sasl_tls_security_options = noanonymous 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous

The result:

250-AUTH DIGEST-MD5 CRAM-MD5