Check Accepted Auth types
To check the currently available auth type you will need to use openssl
# openssl s_client -crlf -connect yourdomain.tld:465
...
...
#ehlo testing
250-yourdomain.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKINGBy checking the AUTH line you will see that the server currently support login with DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Change Accepted Auth Types
To disable the options for plain text pop3/imap login you will need to login to your Plesk server via SSH
After you have logged in your will want to run the pci compliance comands.
plesk sbin pci_compliance_resolver --enable dovecot
plesk sbin pci_compliance_resolver --enable postfixOnce you have done this you will need to update your postfix main.cf configuration file.
Update/modify /etc/postfix/main.cf
smtpd_tls_auth_only=yes
smtpd_sasl_security_options = noanonymous, noplaintextUpdate sasl2 smtpd.conf file in /usr/lib64/sasl2/smtpd.confor /etc/postfix/sasl/smtpd.conf by removing "PLAIN LOGIN" from the mech_list
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5
sql_engine: intentionally disabled
log_level: 4
restart services
systemctl restart saslauthd.service
systemctl restart postfix.service
systemctl restart dovecot.serviceYou can check that this is now disable by using openssl
# openssl s_client -crlf -connect yourdomain.tld:465
...
...
# ehlo testing
250-yourdomain.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKINGIf the AUTH line have changed to 250-AUTH DIGEST-MD5 CRAM-MD5 and does not mention plain or login then the changes have been successful, you should test your email client to make sure all is still working as expected.