Skip to main content

PCI Scan failing on SMTP Service Cleartext Login Permitted

Comments

6 comments

  • cPanelMichael
    WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled

    Hello @Daniel Yi, The following Exim document explains how the "tls_on_connect_ports" option works for port 465:
    0
  • Daniel Yi
    Maybe I'm not understanding correctly, but based on the information you provided, I'm not sure how that proves that the fail can be classified as a false positive. Either way, I've emailed them with the info asking if they can submit it as a false positive. I'll update once I hear back.
    0
  • cPanelMichael
    Hello @Daniel Yi, It's considered a false positive because cleartext logins aren't actually transmitted over port 465 when Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server is enabled. Thank you.
    0
  • Daniel Yi
    Gotcha!
    0
  • Daniel Yi
    How about for port 587? I'm getting a fail on both 465 and 587.
    0
  • cPanelMichael
    How about for port 587? I'm getting a fail on both 465 and 587.

    It's also a false positive since "Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server" applies to all SMTP connections. This option prevents the plaintext transmission of authentication credentials. You can test this yourself by trying to authenticate over port 587 with telnet: # telnet 1.2.3.4 587 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. 220-123.hostname.tld ESMTP Exim 4.91 #1 Wed, 06 Jun 2018 09:14:59 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. EHLO domain.tld 250-123.hostname.tld Hello domain.tld [1.2.3.4] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP AUTH LOGIN 503 AUTH command used when not advertised
    Thank you.
    0

Please sign in to leave a comment.