Failing PCI Scan: Mail Server Accepts Plaintext Credentials

Question asked by Brook Davies - 10/23/2015 at 12:10 PM

Unanswered

We are failing a PCI scan as our 11.5 Smartermail server is accepting plain text via SMTP and POP3. How do I fix this?

I read a few posst here about modifying TLS/SSL support, but this seems to be related to securing web mail. Is that right?

11 Replies

Reply to Thread

Bruce Barnes Replied

10/23/2015 at 1:20 PM

Install SSL, disable SSL 1.0, SSL 2.0, SSL 3.0.

ENABLE TLS

Install the required registry hacks to ENABLE TLS 1.1 and TLS 1.2

DISABLE TLS 1.0

NOTE: Disabling TLS 1.0 will also disable ALL ANDROID DEVICES which are running the Android OS 4.4 and lower, but disabling SSL 1.0, SSL 2.0, SSL 3.0, and TLS 1.0 are mandatory to pass a PCI scan

Since you are being required to pass a PCI scan, you must now pass PCI DSS 3.0 - which is required by anyone who must be PCI compliant now.

After you have completed all of the above, you can test your compliance at: https://www.qualys.com/forms/freescan/?leadsource=20026142&kw=pci%20compliance%20scanning&gclid=Cj0KEQjwtaexBRCohZOAoOPL88oBEiQAr96eSAHJkKUMl_9CuhnOYIDJ9JXarQ03PsesuK-rY9clO88aAgSx8P8HAQ#pci-scan

See: https://www.pcicomplianceguide.org/pci-faqs-2/

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Brook Davies Replied

10/23/2015 at 8:21 PM

And I don't need to change anything on the email client side? To tell it to use a secure connection?

Bruce Barnes Replied

10/23/2015 at 8:39 PM

Yes, you do need to secure the clients.

If you have browsers accessing either SmarterMail, or web applications which require CISP encryption, they will settings adjustments so they are encrypted, too.

Note that TLS must be enabled, and SSL disabled, in some browsers.

If you are not familiar with how to do all of this, which requires several steps in IIS, the Microsoft certificate store, and in SmarterMail, you may want to pay someone familiar with both SmarterMail and TLS security to do this for you.

Brook Davies Replied

10/23/2015 at 11:05 PM

How do I "Disable the plaintext authentication methods on your SMTP server for unencrypted (non-SSL/TLS) sessions. You may consider using more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5"

Bruce Barnes Replied

10/24/2015 at 5:57 AM

CRAM-MD5 and DIGEST MD-5 are not yet available in SmarterMail.

To disable plain text login, godo the following:

Under DOMAIN EDIT:

Make certain REQUIRE SMTP AUTHENTICATION is checked.

Under SETTINGS, SMTP IN:

Make certain to check --

* Disable Relay when Using SMTP AUTHENTICATION.

* Enabled DOMAIN'S SMTP AUTH settings for local Deliveries

* Check "Disable Auth Login for SMTP AUTHENTICATION" and that will disabled plain tex5 authentication.

See
http://help.smartertools.com/SmarterMail/v14/Default.aspx?qq=%2fsmartermail%2fv5%2ftopics%2fsystemadmin%2fconfig%2fprotocolsettings.aspx

If you send from web forms, and/or shopping carts, you will need to configure that software to use SMTP AUTHENTICATION with TLS.

Remember, if you whitelist, or use SMTP AUTHENTICATION BYPASS for even a SINGLE IP address or DOMAIN NAME, you will still FAIL your PCI certification.

If you fail your PCI certification, they will pull ALL of your credit card processing capabilities: both brick and mortar, and online.

Contact me directly if you require assistance.

- Bruce

Brook Davies Replied

10/24/2015 at 4:56 PM

In outlook, I see I can set the Outgoing Server to TLS, but I only see an SSL option for Incoming (POP) mail. Is that expected?

Bruce Barnes Replied

10/24/2015 at 6:04 PM

Settings in the clients are client and version dependant.

I don't believe tha versions of Outlook prior to Outlook 10 support TLS. You'll have to check with Microsoft.

Paul Replied

6/27/2016 at 5:21 PM

Just upgraded to SM15. Created mild havoc with my settings, but things are stable(ish) now. Seems like half my settings got moved over in the upgrade, half did not.

Except...I now get a PCI fail on Port 25. This is secured using TLS, but the scanner is reporting "Plaintext communication is allowed without a TLS connection". AUTH_LOGIN is disabled...cert checks out okay...any other ideas? Things worked fine with SM14, I am hoping a bug has not crept in.

Sean Kelsey Replied

7/20/2017 at 11:42 AM

Nobody addressed the POP3 plain text issue. It seems that a client connecting to the server via POP3 without TLS enabled will fall back to unencrypted on the connection. Is this accurate? Can it be set to not accept plain text login for POP3. I know the settings for SMTP but don't see it for POP3.

Employee Replied

1/17/2018 at 2:01 PM

Employee Post

Sean, at this time it is not possible to prevent POP from accepting plain txt connections. Now what you can do is setup your POP ports to only allow SSL connections and you should be all set.

David Sovereen Replied

1/23/2023 at 11:25 AM

Can this get on the roadmap to be resolved? We're also dealing with PCI compliance issues. One can disable plaintext logins in SMTP, but not in POP.

Thanks,

Dave

Back to Community Threads

Please leave this box unchecked

11 Replies

Reply to Thread

Tags

Related Knowledge Base Articles