[BlueOnyx:27258] Re: Disabling plain text login for Postfix
Michael Stauber
mstauber at blueonyx.it
Tue Sep 24 15:43:44 -05 2024
Hi Chris,
> Working with a customer on a 5210R box, they've had a PCI scan fail due
> to allowing plaintext authentication over port 25. No matter that
> they don't process credit cards over port 25... anyhow....
If they know what IP the PCI scan is from they should just block that
one and be done with it. :p
> Is there a recommended method for disabling plaintext authentication in
> Postfix (or Dovecot if Postfix is using Dovecot's auth?)
Offhand I don't recall if our automatic config generation for Postfix
will reset any custom changes you make to that end in /etc/postfix/main.cf
So it would be best to edit this file instead, which is run last
whenever Postfix is restarted and it allows you to override the
configuration:
/usr/sausalito/bin/custom-postfix-confgen.sh
Changes made to that file will persist through BlueOnyx YUM updates, so
they won't get lost.
Just put the respective "postconf" commands in there like shown the
(unrelated) example already in the comment of the above file:
postconf -e 'smtpd_sender_restrictions = reject_unknown_sender_domain'
What you want to set via "postconf -e 'key = value'" are these:
smtpd_tls_auth_only = yes
> Also getting dinged for the mailserver (on TCP 25, 465 and 587) allowing
> anonymous authentication. The recommendation? Literally "Disable
> support for anonymous authentication to mitigate this
> vulnerability." Not sure how to proceed with that under BlueOnyx.
That's this one:
smtpd_sasl_security_options = noanonymous
But that is already a default in our typical Postfix config:
~]# cat /etc/postfix/main.cf|grep smtpd_sasl_security_options
smtpd_sasl_security_options = noanonymous
At least it is when SMTP-Auth is enabled. Check in the GUI if this
server has it on or off. It *may* be off on that one.
In /etc/dovecot/conf.d/10-auth.conf you can set this to disable anon-auth:
auth_anonymous = no
But that will essentially do nothing, as Dovecot requires username and
password anyway.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list