PCI failure - Mail Server Accepts Plaintext Credentials

Symptoms

PCI scanners will report a failure similar to the below:

"Mail Server Accepts Plaintext Credentials. In the controls performed, it was determined that the e-mail server responded to the EHLO command. This indicates that the ESMTP protocol is used. ESMTP uses the AUTH command to perform the authorization process. With this command, users who are authorized to send messages using the e-mail server can be determined. Tests have shown that LOGIN PLAIN statements can be used as parameters for the AUTH command."

Description 

When reviewing a PCI scan, one of the common issues is that the Exim advertise setting is separate from the Plaintext Authentication option for Dovecot. To ensure that PCI validation passes, both options will need to be configured correctly. 

Workaround

1. The failure reported indicates that Plaintext Authentication has been enabled on your server. If this is true, then you will need to disable this for the Dovecot service in "WHM Mailserver Configuration".

2. By default the Exim service should be configured correctly, but if the following option has been disabled you will also need to enable it in the "WHM Exim Configuration Manager". Disabling this setting will result in the Exim service incorrectly advertising AUTH PLAIN LOGIN and cause false positives on scanning.