• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Which e-Mail client authentication method is secure?

S

Sebo

New Pleskian
Hi all,

I have a question regarding the security of the different e-Mail authentication methods (DIGEST-MD5 CRAM-MD5 PLAIN LOGIN).
At the moment I'm providing all of them but I want to restrict them to most secure ones.

What I can see from the maillog is, that most clients are using the PLAIN method by default.
Also the email.mobilconfig profile for iPhone and iPad, which is automatically provided by Plesk, is preconfigured with the PLAIN method.

So I'm not sure if it make sense, to disable the PLAIN method.

I assume that DIGEST-MD5 and CRAM-MD5 are more secure than PLAIN and LOGIN but I'm not sure.
I did't find enough information about this.

Hopefully someone has some more insights.

Thanks for you support!
 
Hello Sebo,

It all depends on various conditions (if there is a secure connection or not, etc).
You can check:
security.stackexchange.com

What is the most secured SMTP authentication type?

Say you have to choose only one among the following authentication types for your own SMTP server: LOGIN, PLAIN CRAM-MD5 DIGEST-MD5 NTLM/SPA/MSN Which one would you recommend for optimal security...
security.stackexchange.com security.stackexchange.com
security.stackexchange.com

How secure is using CRAM-MD5 for email authentication, when not using an SSL connection?

Background: My current server-provider tells me it's no problem to store the passwords in plain-text in the database, saying he has to do so because they use CRAM-MD5 for email authentication. My b...
security.stackexchange.com security.stackexchange.com
security.stackexchange.com

Is DIGEST-MD5 secure if done over HTTPS?

If the DIGEST-MD5 negotiation is done over an HTTPS connection instead of HTTP, does that prevent this list of disadvantages from Wikipedia?: Digest access authentication is intended as a security...
security.stackexchange.com security.stackexchange.com

Our KB article just for your reference:
support.plesk.com

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Applicable to: Plesk for Linux Question How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server? Answer Note: If you don't have root access to the P...
support.plesk.com support.plesk.com
 
Hi Aytalina,

thanks a lot for the links.

If I understand right, it is basically OK to have the PLAIN method active as long as you use SSL.

Thanks again!
Sebo
 
You must log in or register to reply here.

Similar threads

T
Resolved connection webmail to mailserver fails
Replies
8
Views
2K
Strangelove
Strangelove
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
C
Resolved VPS - Mail Server 'Insufficient Space'
Replies
4
Views
1K
Peter Debik
P
M
Resolved Help request: SSL certificate seems to have trust issues. How to resolve?
Replies
4
Views
907
MHC_1
M
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
7K
Wolfgang Reidlinger
W
Back
Top