Failing PCI Scan: Mail Server Accepts Plaintext Credentials
Question asked by Brook Davies - October 23, 2015 at 12:10 PM
Unanswered
We are failing a PCI scan as our 11.5 Smartermail server is accepting plain text via SMTP and POP3. How do I fix this?
 
I read a few posst here about modifying TLS/SSL support, but this seems to be related to securing web mail. Is that right?
 
 

4 Replies

Reply to Thread
0
Install SSL, disable SSL 1.0, SSL 2.0, SSL 3.0.
 
ENABLE TLS
 
Install the required registry hacks to ENABLE TLS 1.1 and TLS 1.2
 
DISABLE TLS 1.0
 
NOTE:  Disabling TLS 1.0 will also disable ALL ANDROID DEVICES which are running the Android OS 4.4 and lower, but disabling SSL 1.0, SSL 2.0, SSL 3.0, and TLS 1.0 are mandatory to pass a PCI scan
 
Since you are being required to pass a PCI scan, you must now pass PCI DSS 3.0 - which is required by anyone who must be PCI compliant now.
 
.
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
And I don't need to change anything on the email client side? To tell it to use a secure connection?
0
Just upgraded to SM15.  Created mild havoc with my settings, but things are stable(ish) now. Seems like half my settings got moved over in the upgrade, half did not.
 
Except...I now get a PCI fail on Port 25.  This is secured using TLS, but the scanner is reporting "Plaintext communication is allowed without a TLS connection". AUTH_LOGIN is disabled...cert checks out okay...any other ideas?  Things worked fine with SM14, I am hoping a bug has not crept in.
0
Nobody addressed the POP3 plain text issue. It seems that a client connecting to the server via POP3 without TLS enabled will fall back to unencrypted on the connection. Is this accurate? Can it be set to not accept plain text login for POP3. I know the settings for SMTP but don't see it for POP3.

Reply to Thread