Only offer smtp-auth over tls

Hello everyone,

I have been running HestiaCP v1.3.2 on Debian 10.6.
By default, exim offers the ability to use smtp authentication over port 25 unencrypted, i.e. the username/password combination of an email account are transmitted in plain text.

I would like to only offer the smtp-auth capability over TLS, not plain text.

To do this, I have modified /etc/exim/exim4.conf.template and added the following line
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

Is this something that other people would also like and find useful?
Could HestiaCP configure this out of the box?

Thanks,
Sot.

We support TLS out of the box by default

Thank you very much for your reply.

Of course you support TLS out of the box, but you don’t make sure that credentials can only be transmitted over TLS, they can also be transmitted over plain text.

[email protected]:~$ telnet mail.hestiacp.com 25
Trying 116.203.78.202…
Connected to mail hestiacp com.
Escape character is ‘^]’.
220 web02 hestiacp com
ehlo test
250-web02 hestiacp com Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250 HELP
quit
221 web02 hestiacp com closing connection
Connection closed by foreign host.

By adding the line I mentioned above in exim4.conf.template, the SMTP AUTH capability will only be available over TLS (i.e. client must use STARTTLS or connect to port 465), which is encrypted.

The behaviour I want is
No AUTH capability offered on port 25 by default

[email protected]:~$ telnet potato.irc.gr 25
Trying 95.111.231.144…
Connected to potato.irc.gr.
Escape character is ‘^]’.
220 potato.irc.gr
ehlo test
250-potato.irc.gr Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250 HELP

but only available if I use STARTTLS

[email protected]:~$ openssl s_client -starttls smtp potato.irc.gr:25
CONNECTED(00000005)

250 HELP
ehlo test
250-potato.irc.gr Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP
quit

or is I connect on port 465

[email protected]:~$ openssl s_client -connect potato.irc.gr:465
CONNECTED(00000005)

220 potato.irc.gr
ehlo test
250-potato.irc.gr Hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP
quit

You’ll need to adjust your exim conf, probaly something like this could help: https://serverfault.com/questions/780125/how-to-force-starttls-in-exim

Thank you very much for your answer.

Indeed, this is what I did and it works.

The question was if HestiaCP would like to do the same out-of-the box, i.e. don’t transmit credentials over plain text but only over TLS.

It’s the equivalent of what HestiaCP already does for pop3/imap, but for smtp.

[email protected]:~# head -1 /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes

Enabling this would break some very old smtp clients, e.g. microsoft outlook 2007 without service pack 3.