PLAIN authentication is ok, provided that TLS has been activated by the client (presumably before credentials are sent) or SSL is in use (unconventional 465 port).

In changing this, each client will need to be manually reconfigured. I'm not aware of any client that automatically adjusts to changes such as this.


I'm not aware of a practical way to require encrypted passwords for qmail-smtpd (whether on port 25 or 587) at this point. Spamdyke has a recent feature allowing it to handle authentication, and I believe that Sam will be adding a setting to require encryption before authentication in the next release. When that's available, I'll be changing QMT to use spamdyke for authentication, which will (at last) allow for enforcement of this policy (no passwords sent in clear text).

On the retrieval side of things, dovecot provides such a configuration parameter, #disable_plaintext_auth = yes, which is the default value.

P.S. FWIW, I would have not expected to see (as many) unauthorized attempts on port 587. Spammers will eventually use this port though.

--
-Eric 'shubes'

On 03/05/2014 08:34 AM, LHTek wrote:
I am using PLAIN text passwords I'm afraid. I will be changing that now
though. I very tired of these password hacks.

Since this will be a new process for me I have questions: In changing
the server to require encrypted passwords, will I need to contact all my
clients and have them change the way they connect? Or will their email
clients just automate the change?




    ------------------------------------------------------------------------
    *From:* "c...@milos.co.za" <c...@milos.co.za>
    *To:* vchkpw@inter7.com
    *Sent:* Wednesday, March 5, 2014 6:45 AM
    *Subject:* [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM]
    Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp

    It doesn't matter how good your password is if you're using
    plaintext connections :)
    Since every MUA I've used i nthe last few years supports SSL or TLS
    I should really get around to deprecating pop3 and imap and only
    using pop3s and imaps.
    This is especially imporant since some govts are trying to push
    through laws forcing ISP's to store all of the data each of their
    users downloads meaning that your unencrypted data will remain
    stored for however long is legislated with access by who knows how
    many people.
    \\Clay
    On 2014-03-05 07:57, Tom Collins wrote:
    The submission entries outside the US could very well be from
    hacked accounts.
    I'm finding a surprising number of compromised accounts (once a
    week?), including users with good passwords, so I have to assume
    they're snooped on public wireless, or their computers are
    compromised by malware of some sort.
    The vckpw-smtp entries from outside the US are probably also
    hacked accounts, since mail received from remote servers doesn't
    include authentication.  Sorry I wasn't thinking clearly in my
    previous response -- I forgot these were vchkpw entries and are
    only related to authentication.  I was thinking about qmail logs.

    -Tom

    On Mar 4, 2014, at 10:43 PM, LHTek wrote:

    Thanks for the reply.

    NOTE: None of my users will have sent anything from outside the US.

    I've got some log entries for vchkpw-submission (marked as
    successful in the log) with non-US IP's (Russia, Egypt, Honk
    Kong, etc).In my analysis I'm marking those entries as hacked
    accounts.

    From what I read from your response, vchkpw-smtp (marked as
    successful in the log) entries could be mail sent TO my server
    FROM another server on port 25. That tells me those are probably
    safe submissions - even if they are from overseas IPs. Am I
    thinking correctly?

        ------------------------------------------------------------------------
        *From:* Tom Collins <t...@tomlogic.com <mailto:t...@tomlogic.com>>
        *To:* vchkpw@inter7.com <mailto:vchkpw@inter7.com>
        *Sent:* Wednesday, March 5, 2014 12:02 AM
        *Subject:* Re: [vchkpw] Qmail maillog vchkpw-submission vs
        vchkpw-smtp

        vchkpw-submission is on port 587, and is typically used for
        emai clients relaying mail.  It's often set up to require
        authentication.
        vchkpw-smtp is on port 25, and can be used for email clients
        to relay mail, or by other servers delivering mail to your
        server.

        -Tom

        On Mar 4, 2014, at 9:41 PM, LHTek wrote:

        In the /var/log/maillog file what is the difference between
        these 2 entries (vchkpw-submission, vchkpw-smtp)?
        example:
        Mar  4 17:27:03 michael vpopmail[14701]: vchkpw-submission:
        (PLAIN) login success t...@domain.com:64.185.3.238
        Mar  4 10:54:42 michael vpopmail[29027]: vchkpw-smtp:
        (PLAIN) login success t...@domain.com:64.57.239.114









!DSPAM:531756ed34261630194476!

Reply via email to