• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Which e-Mail client authentication method is secure?

S

Sebo

New Pleskian
Hi all,

I have a question regarding the security of the different e-Mail authentication methods (DIGEST-MD5 CRAM-MD5 PLAIN LOGIN).
At the moment I'm providing all of them but I want to restrict them to most secure ones.

What I can see from the maillog is, that most clients are using the PLAIN method by default.
Also the email.mobilconfig profile for iPhone and iPad, which is automatically provided by Plesk, is preconfigured with the PLAIN method.

So I'm not sure if it make sense, to disable the PLAIN method.

I assume that DIGEST-MD5 and CRAM-MD5 are more secure than PLAIN and LOGIN but I'm not sure.
I did't find enough information about this.

Hopefully someone has some more insights.

Thanks for you support!
 
Hello Sebo,

It all depends on various conditions (if there is a secure connection or not, etc).
You can check:
security.stackexchange.com

What is the most secured SMTP authentication type?

Say you have to choose only one among the following authentication types for your own SMTP server: LOGIN, PLAIN CRAM-MD5 DIGEST-MD5 NTLM/SPA/MSN Which one would you recommend for optimal security...
security.stackexchange.com security.stackexchange.com
security.stackexchange.com

How secure is using CRAM-MD5 for email authentication, when not using an SSL connection?

Background: My current server-provider tells me it's no problem to store the passwords in plain-text in the database, saying he has to do so because they use CRAM-MD5 for email authentication. My b...
security.stackexchange.com security.stackexchange.com
security.stackexchange.com

Is DIGEST-MD5 secure if done over HTTPS?

If the DIGEST-MD5 negotiation is done over an HTTPS connection instead of HTTP, does that prevent this list of disadvantages from Wikipedia?: Digest access authentication is intended as a security...
security.stackexchange.com security.stackexchange.com

Our KB article just for your reference:
support.plesk.com

How to prevent plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server?

Applicable to: Plesk for Linux Question How to prevent cleartext / plaintext authentication via IMAP/POP3 and SMTP in Postfix on Plesk server? Answer Note: If you don't have root access to the P...
support.plesk.com support.plesk.com
 
Hi Aytalina,

thanks a lot for the links.

If I understand right, it is basically OK to have the PLAIN method active as long as you use SSL.

Thanks again!
Sebo
 
You must log in or register to reply here.

Similar threads

T
Resolved connection webmail to mailserver fails
Replies
8
Views
1K
Strangelove
Strangelove
C
Resolved VPS - Mail Server 'Insufficient Space'
Replies
4
Views
906
Peter Debik
P
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
6K
Wolfgang Reidlinger
W
P
Input Enhancement suggestions for Plesk's fail2ban filters
Replies
1
Views
1K
Maarten.
M
K
Issue Dovecot backup/sync to second server fails - Error: auth-master: userdb lookup
Replies
0
Views
1K
kassi
K
Back
Top