• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved PCI Compliance Resolver and Dovecot

R

Richard18

Basic Pleskian
I want to turn off plain text auth for POP3/IMAP, am I right in thinking that the following will only alter the setting I need? I'm using Dovecot.
plesk sbin pci_compliance_resolver --enable dovecot
Click to expand...

This page: Tune Plesk to Meet PCI DSS on Linux has some information, but nothing specific, it just says the aht PCI Compliance Resolver "Sets disable_plaintext_auth = yes for Dovecot.", so if I only run it with "--enable dovecot" will it only change the settings for Dovecot?

Would be nice if that page listed exactly what the tool does for each service listed.
 
Thanks for confirming, that did indeed work!

I don't suppose you know exactly what "--enable postfix" does?

I wonder if it sets "smtpd_tls_auth_only=yes"?
 
Hi Richard18,

Richard18 said:
I don't suppose you know exactly what "--enable postfix" does?
Click to expand...
You are able to investigate that all by yourself, by compairing your (backup) files with the new configuration files master.cf + main.cf

Example commands:
Code: 
cp /etc/postfix/main.cf /etc/postfix/main.cf.backup
cp /etc/postfix/master.cf /etc/postfix/master.cf.backup

plesk sbin pci_compliance_resolver --enable postfix

diff main.cf main.cf.backup
diff master.cf master.cf.backup

If you don't like the changes, just delete the new configuration files and copy your backup - files to the origin names. ;)
 
I didn't want to assume the PCI compliance tool only changed those 2 files.

Something official from Plesk would be great!

However, thanks for your help, I'll try your suggestion!
 
After running : plesk sbin pci_compliance_resolver --enable postfix

The following changes are made to main.cf:
Code: 
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
tls_ssl_options = no_compression
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem

Just like the PCI article says ;)

But, PLAIN AUTH was still available, it seems strange that the PCI tool disables plain text auth on other services (Dovecot, Courier), but not Postfix.
Code: 
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

To disable PLAIN AUTH I still had to add the following to main.cf, which, to be fair, I could have done without running the PCI tool!
Code: 
smtp_sasl_security_options = noanonymous, noplaintext 
smtp_sasl_tls_security_options = noanonymous 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous

The result:
Code: 
250-AUTH DIGEST-MD5 CRAM-MD5
 
You must log in or register to reply here.

Similar threads

andreios
Issue Setting the default_client_limit value for dovecot by Plesk as specified by the instructions
Replies
3
Views
396
Peter Debik
P
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
hschramm
Extension SSLit: Dovecot unable to start due to too many SNI ssl certificate config files
Replies
6
Views
2K
kevinjansen
K
Back
Top