Results 1 to 11 of 11
  1. #1

    Courier & Plain Text Credentials

    First post here in years...i have googled, checked many forums and this one for the answer to no avail. I am hoping someone can shed some light on this for me.

    Having problems with the last error involving PCI Compliance.

    POP3 Server Allows Plain Text Authentication Vulnerability

    Courier version .51

    I have managed to configure all the rest of the ports to disable the plain text auth. I am told that courier may not be able to disable plaintext credentials in the pop3d...

    is this true? Or is there a fix that may fix or sidestep the issue?

  2. #2
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Did the auditor tell you what was supposed to happen? As far as I know, POP3 uses plain text passwords.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  3. #3
    The auditor said that plain text credentials are not acceptable. I have been trying to force cram-md5...which is what they are looking for on port 110 which is standard pop3. All other ports are secure with md5...just that i am having problems forcing it on 110.

  4. #4
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I see this in my courier pop3d config file:

    Code:
    # If you have configured the CRAM-MD5 or CRAM-SHA1, set POP3AUTH to something
    # like this:
    #
    # POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
    When you say that you've "configured the rest of the ports to disable the plain text auth", do you mean you'ved disabled plain text logins for IMAP and have hashed the passwords already?

    Would just disabilng pop3d and only using the pop3d-ssl daemon in courier be acceptable?
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  5. #5
    Yes, that is what I have. I did forget to put "LOGIN" in the quotes so I made that change and redid the scan. Still not passing. Disabling 110? I didn't think you could do that without losing heaps of email?

  6. #6
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Disabling POP3 isn't going to cause missing email messages. POP3 is only used for checking email, not receiving it. Courier includes a pop3d configuration that uses an SSL certificate for POP3S in the form of the pop3d-ssl daemon.

    How did you disable plain text authentication in the IMAP daemon?
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  7. #7
    In the IMAP I forced the TLS_CIPHER_LIST TO READ:

    TLS_CIPHER_LIST=”ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM”

    and made sure that TLS_PROTOCOL was:

    TLS_PROTOCOL=SSL3

    I made the changes in the esmtpd, esmptd-ssl, pop3d-ssl, imapd and imapd-ssl files.


    Just wondering what is needed to force the pop3d-ssl and disable pop3d?

  8. #8
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I don't see how that disabled plain text passwords in IMAP. Does that even require TLS encryption?

    It looks like would want to use IMAP_TLS_REQUIRED to force TLS for IMAP, and POP3_TLS_REQUIRED to require TLS for POP3.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  9. #9
    When I enable that I get no email at all...I can send mail, just not receive.

    All I know is it passed the criteria and i moved on to the pop3d which is the last issue...

  10. #10
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I would just enable the imapd-ssl and pop3d-ssl daemons and test them and then disable the imapd and pop3d daemons. Although since you say you configured the TLS_PROTOCOL and TLS_CIPHER_LIST for imapd, I suspect that you have copied the imapd-ssl config over imapd's.

    To do this on a default system, one would edit pop3d, imapd, pop3d-ssl and imapd-ssl so that:

    IMAPDSSLSTART=YES
    POP3DSSLSTART=YES
    IMAPDSTART=NO
    POP3DSTART=NO

    Make sure that you have the appropriate .pem files for the SSL, and restart courier. Then force encryption on in the client.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  11. #11
    Quote Originally Posted by bitserve View Post
    Although since you say you configured the TLS_PROTOCOL and TLS_CIPHER_LIST for imapd, I suspect that you have copied the imapd-ssl config over imapd's.
    No I didnt. Did very little here...more work was done in the esmtpd that was not spoken about as well.

    I will test what you suggest.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •