PCI Scan SMTP Service Cleartext Login Permitted

[ssgill]

Hello our PCI scan failed on this issue

Debian GNU/Linux 11 (bullseye)
Directadmin and all installed options updated to latest release in custom build.

Title:
SMTP Service Cleartext Login Permitted
Synopsis:
The remote mail server allows cleartext logins.
Impact:
The remote host is running an SMTP server that advertises that it allows
cleartext logins over unencrypted connections. An attacker may be able to
uncover user names and passwords by sniffing traffic to the server if a
less secure authentication mechanism (i.e. LOGIN or PLAIN) is used. See
also : https://tools.ietf.org/html/rfc4422 https://tools.ietf.org/html/rfc4954
Resolution:
Configure the service to support less secure authentication mechanisms
only over an encrypted channel.
Data Received:

Data Received:
The SMTP server advertises the following SASL methods over an
unencrypted channel on port 25 : All supported methods : LOGIN, PLAIN
Cleartext methods : LOGIN, PLAIN

The SMTP server advertises the following SASL methods over an
unencrypted channel on port 587 : All supported methods : LOGIN, PLAIN
Cleartext methods : LOGIN, PLAIN

I found this KB Basic System Security : https://docs.directadmin.com/operation-system-level/securing/general.html#basic-system-security
and there is link to an old thread from 2012. Is this still valid or there is better way of disabling cleartext login.

1. Force email logins to use a secure connection: https://forum.directadmin.com/threads/43500

Thanks

 

[zEitEr]

Hello,

Try this:

• https://docs.directadmin.com/other-...ow-to-only-allow-auth-on-port-587-block-on-25
• https://docs.directadmin.com/other-...llow-smtp-auth-login-if-encryption-is-enabled