Skip to main content

mail service allows plaintext using courier mail server fail PCI

Comments

8 comments

  • cPanelMichael
    Hello :) Could you let us know what PCI compliance scan you used? Also, could you paste the full output of the error in CODE tags, or was the information in your first post all that was provided? Thank you.
    0
  • vincentg
    The test was pop3 port 110 And that was the full failed code sent with response It ended with CVE:CVE-2011-0411 BID:46767 Also given other references which is in a PDF report given me. The company is panopticsecurity.com I think the solution is to disable IMAPD and POP3D but as I stated if we do that we no longer have Webmail as all webmail uses port 143 which is the non secure imap port At present I believe we are safe as we have satisfied the PCI people for now since they are only testing port 110 But I have a feeling that sooner or later they will also test Imap on 143 In any event web mail should still work if one disables IMAPD and POP3D - don't you think?
    0
  • cPanelMichael
    CVE-2011-0411 is a report against Postfix, not Courier or Dovecot. You should report this to the PCI scanning company and let them know you are not using Postfix on your system. Thank you.
    0
  • vincentg
    Would be nice if these testing companies understood what they were enforcing. They passed my scan.
    0
  • aelgate3
    Hello....... I have a similar problem I think. What did you tell them at the end of the day vincentg? Thanks
    0
  • vincentg
    I did not disable any protocols as it will cause problems. For one Webmail will no longer work should you disable IMAPD if I remember right. I just complained to the test company and they passed it. Their main concern was if we used email to pass credit card info or passwords. I told them we don't use email for anything other than common communication. We don't use it to gather credit card details or use it to pass passwords. We follow same standards as a bank would. After I told them that they passed it.
    0
  • aelgate3
    [quote="vincentg, post: 1747661">I did not disable any protocols as it will cause problems. For one Webmail will no longer work should you disable IMAPD if I remember right. I just complained to the test company and they passed it. Their main concern was if we used email to pass credit card info or passwords. I told them we don't use email for anything other than common communication. We don't use it to gather credit card details or use it to pass passwords. We follow same standards as a bank would. After I told them that they passed it.
    thanks for your answer...also I don't use email to pass credit card info or passwords anyway..I have mention it to them let's see what it will happen
    0
  • aelgate3
    My scan pass...I just writing what I have mention them so if someone else has got the same problem can see it ------------------------------------------------------------------------------------------------------------------ I am writing this regarding the false positive. I will explain the reasons why I believe that is false/positive 1) The error CVE-2011-0411 is applied to postfix. My server is not installed with Postfix but with courier and dovecot The below link is for reference ------------------------------------------------------------------------------ ''+ /* There's an attack where more data is read in past the STARTTLS command + before TLS is negotiated, then assumed to be part of the secure session + when used afterwards; we use segregated input buffers, SO ARE NOT + VURNENABLE, but we want to note when it happens and, for sheer paranoia, + ensure that the buffer is "wiped". + Pipelining sync checks will normally have protected us too, unless disabled + by configuration. */"" ----------------------------------------------------------------------------------
    0

Please sign in to leave a comment.