PCI fails on "SMTP Service Cleartext Login Permitted"
Hi All,
I have search far and wide for messages on this so I am going to post and maybe get some answers. We get scans for PCI from securitymetrics and yes it is a pain and yes they are wrong in many ways but I still need to get passed.
For port 465 we fail on a "SMTP Service Cleartext Login Permitted"
We paid platinumservermanagement to admin our server and they can not solve this issue and claim it is a cpanel problem. They say they have done the following
-----------------------------------
I have already tweaked mail servers settings to fix 'SMTP Service Cleartext Login Permitted' vulnerability.
WHM Home ? Service Configuration ? Mailserver Configuration.
disabled ... Allow Plaintext Authentication
WHM Home ? Service Configuration ? Exim Configuration Manager
Enabled ... Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.
---------------------------------
And we still fail the test and I have called Security Metrics and they do a manual test and say they it does in fact fail. We do have 1 thing that is maybe not normal in our WHM but based on my test this does not seem to be a issue. For the all services we have them protected not by the server's SSL but another SSL for our domain since Security Metrics does not like to see a SSL with the server's name (server.mydomain.com) and wants to ONLY see certs from example.com
Any ideas how I can pass?
-
Hello @DenRomano, Here's the relevant section from our interface (Home >> Service Configuration >> Exim Configuration Manager). - Enable the Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. option.
- Click Save.
Could you consult with SecurityMetrics again and ask them to provide specific information about the steps they are using to manually reproduce plaintext authentication over port 465? Regarding the SSL certificate for the hostname, cPanel version 60 implements Domain TLS to allow for per-domain service certificates: 60 Release Notes - Documentation - cPanel Documentation Additional information about Domain TLS is available at: What is Domain TLS - cPanel Knowledge Base - cPanel Documentation Here's a quote from the release notes: As of cPanel & WHM version 60, Domain TLS handles SNI functionality for the following services: [LIST]- cpsrvd " cPanel, WHM, and Webmail logins and interfaces.
- cpdavd " Calendar, Contacts, and Web Disk services.
- exim " Mail transfer and receiving services.
- dovecot " Mailbox service. We plan to expand Domain TLS to handle SNI functionality for more services in future versions.
Let us know if you have any additional questions. Thank you.0 -
Here is what they said to your request openssl s_client -connect www.example.com:465CONNECTED(00000003) EHLO 250-server.example.com Hello [70.103.xxx.xx] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250 HELP AUTH PLAIN 334 AUTH LOGIN 535 Incorrect authentication data Regards,0 -
Hello, The following Exim document explains how the "tls_on_connect_ports" option works for port 465: 42. Encrypted SMTP connections using TLS/SSL Here's the relevant section: 4. Support for the obsolete SSMTP (or SMTPS) protocol Exim supports the obsolete SSMTP protocol (also known as SMTPS) that was used before the STARTTLS command was standardized for SMTP. Some legacy clients still use this protocol. If the tls_on_connect_ports option is set to a list of port numbers or service names, connections to those ports must use SSMTP. The most common use of this option is expected to be tls_on_connect_ports = 465 because 465 is the usual port number used by the legacy clients. There is also a command line option -tls-on-connect, which forces all ports to behave in this way when a daemon is started. Warning: Setting tls_on_connect_ports does not of itself cause the daemon to listen on those ports. You must still specify them in daemon_smtp_ports, local_interfaces, or the -oX option. (This is because tls_on_connect_ports applies to inetd connections as well as to connections via the daemon.)
You can browse to "WHM >> Exim Configuration Manager >> Advanced Editor" and remove port 465 from the tls_on_connect_ports option to ensure PCI compliance passes. Thank you.0
Please sign in to leave a comment.
Comments
3 comments