Can SmarterMail be made PCI compliant since SMTP can fallback to unencrypted?
Question asked by Sean Kelsey - 12/7/2017 at 11:24 AM
I've seen it referenced that SmarterMail is PCI 3.1 compliant from version 14.2.5704.
But how can that be if SMTP communications will fallback to unencrypted if a TLS connection cannot be made? I believe POP3 will fallback also?
We currently use our SmarterMail server as a relay to send session emails and alerts for website users. Opportunistic TLS encryption is enabled but there is still no force TLS option. We also use POP3 to track bouncebacks.
Can SmarterMail be made PCI compliant?
It looks like we might have to drop SmarterMail due to compliance reasons.

2 Replies

Reply to Thread
Merle Wait Replied
just curious... what would you use instead?
Also, it if the `application` requires TTL and none available.. does everything just queue?
Sean Kelsey Replied
I don't have something lined up for a replacement. Company that acquired the one I work for has a preferred vendor but I haven't looked into it yet.

Right now if the host for the domain the email being sent to is not able to find a common protocol and cipher, the email still gets delivered via plain text connection. No encryption.

The server that connects to our SmarterMail server to relay the email requires TLS so it will either send to the server over a TLS connection or error on trying to connect. So that is not a problem as far as our applications are concerned. But it is out of compliance since I believe the connection would downgrade to unencrypted if there was a non-TLS connection made. So a plain text scan should pick that up.

Reply to Thread