DescriptionThis document explains how to disable services AUTH, POP3(S), and IMAP(S), which are enabled on FortiMail platform by default, but may be unnecessary in some environments.
ScopeFortiMail version 4.0 MR3Solution
By default, FortiMail unit advertises for SMTP, TLS and SMTPS that SMTP AUTH can be used:
220 gateway.lab.net ESMTP Smtpd; Thu, 31 Jan 2013 17:30:42 +0100
ehlo test.lab
250-gateway.lab.net Hello [192.168.196.98], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250-DSN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
You may want to disable SMTP AUTH over the plain SMTP in order to protect user's login credentials, since LOGIN or PLAIN authentication methods doesn't provide encryption of login/password.
To disable advertising of AUTH on SMTP use following commands in CLI:
# config system mailserver
(mailserver) # set smtp-auth disable
(mailserver) # end
Once done, the SMTP AUTH will no longer be advertised:
220 gateway.lab.net ESMTP Smtpd; Thu, 31 Jan 2013 18:06:27 +0100
ehlo test.lab
250-gateway.lab.net Hello [192.168.196.98], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250-DSN
250-STARTTLS
250-DELIVERBY
250 HELP
Please note, that you can disable AUTH on TLS and/or SMTPS as well. To do this, use the following command:
# config system mailserver
(mailserver) # set smtp-auth-over-tls disable
(mailserver) # set smtp-auth-smtps disable
(mailserver) # end
Additionally, you may want to disable access through POP3(S) and/or IMAP(S), if they are not used in your environment.
To disable POP3 service (including its encrypted counterpart) on FortiMail unit, use the following commands in CLI:
# config system mailserver
(mailserver) # set pop3-service disable
(mailserver) # end
Similarly, IMAP service can be disabled by:
# config system mailserver
(mailserver) # set imap-service disable
(mailserver) # end
