Can SmarterMail be made PCI compliant since SMTP can fallback to unencrypted?

I've seen it referenced that SmarterMail is PCI 3.1 compliant from version 14.2.5704.

But how can that be if SMTP communications will fallback to unencrypted if a TLS connection cannot be made? I believe POP3 will fallback also?
We currently use our SmarterMail server as a relay to send session emails and alerts for website users. Opportunistic TLS encryption is enabled but there is still no force TLS option. We also use POP3 to track bouncebacks.

Can SmarterMail be made PCI compliant?

It looks like we might have to drop SmarterMail due to compliance reasons.

Merle Wait Replied

12/7/2017 at 5:48 PM

just curious... what would you use instead?
Also, it if the `application` requires TTL and none available.. does everything just queue?

Sean Kelsey Replied

12/7/2017 at 6:14 PM

I don't have something lined up for a replacement. Company that acquired the one I work for has a preferred vendor but I haven't looked into it yet.

Right now if the host for the domain the email being sent to is not able to find a common protocol and cipher, the email still gets delivered via plain text connection. No encryption.

The server that connects to our SmarterMail server to relay the email requires TLS so it will either send to the server over a TLS connection or error on trying to connect. So that is not a problem as far as our applications are concerned. But it is out of compliance since I believe the connection would downgrade to unencrypted if there was a non-TLS connection made. So a plain text scan should pick that up.

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles