Turn off SMTP auth

[ajmahoney]

Hi

Using Plesk 11.0.9 on CentOS 6, it does not appear to be possible to disable SMTP authentication.
We want to use the POP lock however this does not appear to be working with the SMTP authentication also enabled.

The mail server we are using is qmail, I've looked into the command line tools and found that
/usr/local/psa/admin/sbin/mailmng --set-mail-params --smtpauth
will enable this however there does not appear to be any option to disable it.

The Administrators guide suggests this should be possible http://download1.parallels.net/Plesk/PP11/11.0/Doc/en-US/online/plesk-administrator-guide/59430.htm.

Is there anyway to set this up so that POP locking takes precedent over SMTP authentication?

Thanks
Andy M

 

[Faris Raouf]

I can't quite work out what you want to do or what problem you are really having.

Disabling smtp auth is as simple as unticking the box and clicking on OK. It is then disabled. Check /etc/xinetd.d/smtp_psa (and smtps_psa) before and after and you'll see the change.

env             = SMTPAUTH=1

The above means SMTP authentication is enabled. =0 (or maybe also nothing there) means disabled.

There is a bug (aka feature) in some email clients that causes problems when pop-before-relay (pop locking) is enabled. I get the feeling that this is what you are actually up against.

Note that if you have "enable message submission" enabled, then users can use smtp authentication on port 587. This port has no pop-before-relay option, thankfully.

 

[ajmahoney]

Hi Faris,

Unfortunately in Plesk 11 (at least on CentOS 6) it does not appear to be possible to untick the SMTP AUTH box.
Editing the xinetd files to remove SMTP auth support would eventually be overwritten by Plesk.
The sites where recently migrated from a Plesk 8 server, which only has POP locking enabled and works fine with the mail clients, however the new server appears to be requiring SMTP authentication with the POP locking also enabled.

 

[Faris Raouf]

Wow. That's annoying. Hmmm..

In that case I think editing the smtp_psa files (SMTPAUTH=0) and restarting xinetd is the best solution. Unlike most other things, these files don't get routinely overwritten by Plesk. They only (usually) get changed if you make significant global mail settings, such as blacklists and authenticatation settings (or do a full version Plesk upgrade).

A real life example: We use spamdyke (www.spamdyke.org) on almost all our servers and this requires that the smtp_psa files be manually edited. We've been using it for many years now and I have only once needed to re-edit the files to re-enable spamdyke in all that time.

Spamdyke, incidentally, is a very useful anti-spam tool and I highly recommend anyone using qmail to install it. An easy to install rpm is even available from the Atomic repo (RH/Centos/Fedora only) and there's even a GUI available for configuring it and looking at logs. Unfortunately in your case it isn't an option because Spamdyke isn't able to support Plesk's pop-before-relay option :-(

In fact we weaned our customers off pop-before-relay specifically so that we could start using spamdyke on certain systems

 

[ajmahoney]

I've looked into this further and it now appears that POP locking may be working on port 25 and although not being able to disable SMTP AUTH may be an issue, the real issue seems that the submission configuration does not match the smtp configuration.

This seems like a bug to me, although I couldn't say if it's related to not being able to untick SMTP auth.

# diff /etc/xinetd.d/smtp_psa /etc/xinetd.d/submission_psa
5c5
< service smtp
---
> service submission
11c11
< user = root
---
> user = qmaild
14c14
< env = SMTPAUTH=1 POPAUTH=1
---
> env = SUBMISSION=1 SMTPAUTH=1
16c16
< server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
---
> server_args = -Rt0 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Faris,
Thanks for your advice regarding how often the xinetd files are overwritten. Creating a working submission file by hand may be the best way to go in the short term, hopefully there is a proper solution before this happens .

Thanks
Andy M

 

[Faris Raouf]

Oh! I understand now.

You can't disable smtp auth on the Submission port. The whole point of it is authenticated smtp. That's why there's no option to disable it in Plesk.

If you want to do something unusual on the Sumbission port then you need to make a copy of the submission_psa then disable Submission in Plesk itself.

Then copy the copy you made back into place and make the changes you need to it. Plesk won't touch it unless you re-enable Submission in Plesk.

One thing you might want to double-check after doing this is to see if /etc/services still contains a line for port 587 tcp submission. This is important only if in the submission_psa file in xinetd.d the port for the service is defined as a string: "submission". In order to know what actual port to listen on, the /etc/services file is used which translates "submission" to 587.

 

[ajmahoney]

Hi Faris,

Thanks, we've found the relevant rfc which describes this http://tools.ietf.org/html/rfc6409#section-4.3 still doesn't explain why SMTP auth cannot be disabled without submission enabled but I don't think this will be a problem.