PCI Scan failing on SMTP Service Cleartext Login Permitted
Hello everyone.
Our latest PCI Compliancy scan is failing on "SMTP Service Cleartext Login Permitted" on port 465. It's saying that the server is advertising PLAIN or LOGIN, and to only allow less secure connections via secured channels.
I've actually read just about every article and forum post online regarding this, but I still cannot figure out a way to pass.
I've set:
- WHM > Service Configuration > Mailserver Configuration > Allow Plaintext Authentication = Disabled
- WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled
- tls_on_connect_ports = Removing 465 breaks our emails.. So that's a no-go.
Would appreciate some help in resolving this. Thank you!
-
WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled
Hello @Daniel Yi, The following Exim document explains how the "tls_on_connect_ports" option works for port 465:0 -
Maybe I'm not understanding correctly, but based on the information you provided, I'm not sure how that proves that the fail can be classified as a false positive. Either way, I've emailed them with the info asking if they can submit it as a false positive. I'll update once I hear back. 0 -
Hello @Daniel Yi, It's considered a false positive because cleartext logins aren't actually transmitted over port 465 when Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server is enabled. Thank you. 0 -
Gotcha! 0 -
How about for port 587? I'm getting a fail on both 465 and 587. 0 -
How about for port 587? I'm getting a fail on both 465 and 587.
It's also a false positive since "Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server" applies to all SMTP connections. This option prevents the plaintext transmission of authentication credentials. You can test this yourself by trying to authenticate over port 587 with telnet:# telnet 1.2.3.4 587 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. 220-123.hostname.tld ESMTP Exim 4.91 #1 Wed, 06 Jun 2018 09:14:59 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. EHLO domain.tld 250-123.hostname.tld Hello domain.tld [1.2.3.4] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP AUTH LOGIN 503 AUTH command used when not advertised
Thank you.0
Please sign in to leave a comment.
Comments
6 comments