Failing PCI Scan: Mail Server Accepts Plaintext Credentials
Question asked by Brook Davies - October 23, 2015 at 12:10 PM
Unanswered
We are failing a PCI scan as our 11.5 Smartermail server is accepting plain text via SMTP and POP3. How do I fix this?
 
I read a few posst here about modifying TLS/SSL support, but this seems to be related to securing web mail. Is that right?
 
 

10 Replies

Reply to Thread
0
Bruce Barnes Replied
Install SSL, disable SSL 1.0, SSL 2.0, SSL 3.0.
 
ENABLE TLS
 
Install the required registry hacks to ENABLE TLS 1.1 and TLS 1.2
 
DISABLE TLS 1.0
 
NOTE:  Disabling TLS 1.0 will also disable ALL ANDROID DEVICES which are running the Android OS 4.4 and lower, but disabling SSL 1.0, SSL 2.0, SSL 3.0, and TLS 1.0 are mandatory to pass a PCI scan
 
Since you are being required to pass a PCI scan, you must now pass PCI DSS 3.0 - which is required by anyone who must be PCI compliant now.
 
.
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Brook Davies Replied
And I don't need to change anything on the email client side? To tell it to use a secure connection?
0
Bruce Barnes Replied
Yes, you do need to secure the clients.

If you have browsers accessing either SmarterMail, or web applications which require CISP encryption, they will settings adjustments so they are encrypted, too.

Note that TLS must be enabled, and SSL disabled, in some browsers.

If you are not familiar with how to do all of this, which requires several steps in IIS, the Microsoft certificate store, and in SmarterMail, you may want to pay someone familiar with both SmarterMail and TLS security to do this for you.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Brook Davies Replied
How do I "Disable the plaintext authentication methods on your SMTP server for unencrypted (non-SSL/TLS) sessions. You may consider using more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5"
0
Bruce Barnes Replied
CRAM-MD5 and DIGEST MD-5 are not yet available in SmarterMail.

To disable plain text login, godo the following:

Under DOMAIN EDIT:

Make certain REQUIRE SMTP AUTHENTICATION is checked.

Under SETTINGS, SMTP IN:

Make certain to check --

* Disable Relay when Using SMTP AUTHENTICATION.

* Enabled DOMAIN'S SMTP AUTH settings for local Deliveries

* Check "Disable Auth Login for SMTP AUTHENTICATION" and that will disabled plain tex5 authentication.

See
http://help.smartertools.com/SmarterMail/v14/Default.aspx?qq=%2fsmartermail%2fv5%2ftopics%2fsystemadmin%2fconfig%2fprotocolsettings.aspx

If you send from web forms, and/or shopping carts, you will need to configure that software to use SMTP AUTHENTICATION with TLS.

Remember, if you whitelist, or use SMTP AUTHENTICATION BYPASS for even a SINGLE IP address or DOMAIN NAME, you will still FAIL your PCI certification.

If you fail your PCI certification, they will pull ALL of your credit card processing capabilities: both brick and mortar, and online.

Contact me directly if you require assistance.

- Bruce
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Brook Davies Replied
In outlook, I see I can set the Outgoing Server to TLS, but I only see an SSL option for Incoming (POP) mail. Is that expected?

0
Bruce Barnes Replied
Settings in the clients are client and version dependant.

I don't believe tha versions of Outlook prior to Outlook 10 support TLS. You'll have to check with Microsoft.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Paul Replied
Just upgraded to SM15.  Created mild havoc with my settings, but things are stable(ish) now. Seems like half my settings got moved over in the upgrade, half did not.
 
Except...I now get a PCI fail on Port 25.  This is secured using TLS, but the scanner is reporting "Plaintext communication is allowed without a TLS connection". AUTH_LOGIN is disabled...cert checks out okay...any other ideas?  Things worked fine with SM14, I am hoping a bug has not crept in.
0
Sean Kelsey Replied
Nobody addressed the POP3 plain text issue. It seems that a client connecting to the server via POP3 without TLS enabled will fall back to unencrypted on the connection. Is this accurate? Can it be set to not accept plain text login for POP3. I know the settings for SMTP but don't see it for POP3.
0
Von-Austin See Replied
Employee Post
Sean, at this time it is not possible to prevent POP from accepting plain txt connections. Now what you can do is setup your POP ports to only allow SSL connections and you should be all set.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread