mail service allows plaintext using courier mail server fail PCI

[vincentg]

We set the server to use Secure mail but it fails PCI tests

What I see is for Courier is Protocols Enabled

It does not have a plaintext setting so Protocols Enabled must be the solution

We disable IMAPD and POP3D and it should be good.

But if we disable IMAPD we find that Webmail no longer works.

OK - what's the solution for this?

PCI error is as follows

The following two commands were sent in a single packet

STLS\r\
CAPA\r\

It got back
+OK Begin SSL/TLS negotiation now.
+OK Here's what I can do

 

[cPanelMichael]

Hello

Could you let us know what PCI compliance scan you used? Also, could you paste the full output of the error in CODE tags, or was the information in your first post all that was provided?

Thank you.

 

[vincentg]

The test was pop3 port 110

And that was the full failed code sent with response

It ended with CVE:CVE-2011-0411
BID:46767

Also given other references which is in a PDF report given me.

The company is panopticsecurity.com

I think the solution is to disable IMAPD and POP3D but as I stated if we do that we no longer have Webmail as all webmail uses port 143 which is the non secure imap port

At present I believe we are safe as we have satisfied the PCI people for now since they are only testing port 110
But I have a feeling that sooner or later they will also test Imap on 143

In any event web mail should still work if one disables IMAPD and POP3D - don't you think?

 

[cPanelMichael]

CVE-2011-0411 is a report against Postfix, not Courier or Dovecot. You should report this to the PCI scanning company and let them know you are not using Postfix on your system.

Thank you.

 

[vincentg]

Would be nice if these testing companies understood what they were enforcing.

They passed my scan.

 

[aelgate3]

Hello.......

I have a similar problem I think.
What did you tell them at the end of the day vincentg?
Thanks

 

[vincentg]

I did not disable any protocols as it will cause problems.
For one Webmail will no longer work should you disable IMAPD if I remember right.

I just complained to the test company and they passed it.

Their main concern was if we used email to pass credit card info or passwords.
I told them we don't use email for anything other than common communication.
We don't use it to gather credit card details or use it to pass passwords.
We follow same standards as a bank would.

After I told them that they passed it.

 

[aelgate3]

I did not disable any protocols as it will cause problems.
For one Webmail will no longer work should you disable IMAPD if I remember right.

I just complained to the test company and they passed it.

Their main concern was if we used email to pass credit card info or passwords.
I told them we don't use email for anything other than common communication.
We don't use it to gather credit card details or use it to pass passwords.
We follow same standards as a bank would.

After I told them that they passed it.

thanks for your answer...also I don't use email to pass credit card info or passwords anyway..I have mention it to them let's see what it will happen

 

[aelgate3]

My scan pass...I just writing what I have mention them so if someone else has got the same problem can see it
------------------------------------------------------------------------------------------------------------------


I am writing this regarding the false positive.
I will explain the reasons why I believe that is false/positive

1) The error CVE-2011-0411 is applied to postfix. My server is not installed with Postfix but with courier and dovecot
The below link is for reference
http://forums.cpanel.net/f43/mail-s...sing-courier-mail-server-fail-pci-426422.html

Also those 2 links are reference that Cpanel is not use Postfix

Dear CPanel. You need to support Postfix. I’ll even ask nicely. - Welcome to Nowhere

http://forums.cpanel.net/f5/where-does-postfix-get-installed-default-114809.html


2) Also we enabled "connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" setting in exim configuration.
3) We tried also to disable IMAPD and POP3D but after this Webmail no works
4) Please read the whole forum link that I gave you before
http://forums.cpanel.net/f5/where-does-postfix-get-installed-default-114809.html
They mentioned the same problems with panopticsecurity before some months and after this you accept the error as false/positive
For those reasos as you can understand its not false positive


Some other reasons why need to be done as false positive
1)The specific server (213.175.193.247) use only files regarding the payment method (Emerchantpay). I don't have any other site on that server.Also the main website (domain.com) is not hosted to that server.

What does that mean?

It means that I don't send any e-mail with credit cards or passwords when the transaction will complete to the customer or to somewhere else. Also that means at all I don't use e-mail.

How can you confirm this?
You can asked our payment provider (emerchantpay). We enable e-mail notifications by their control panel and they are doing the ''job'' of sending e-mails by their server..

Reference from exim that they mention it as '' Extra paranoia around STARTTLS-with-data-in-buffer.'' but not vurnenable

https://lists.exim.org/lurker/message/20110324.091715.d5e73afd.es.html
------------------------------------------------------------------------------
''+ /* There's an attack where more data is read in past the STARTTLS command
+ before TLS is negotiated, then assumed to be part of the secure session
+ when used afterwards; we use segregated input buffers, SO ARE NOT
+ VURNENABLE, but we want to note when it happens and, for sheer paranoia,
+ ensure that the buffer is "wiped".
+ Pipelining sync checks will normally have protected us too, unless disabled
+ by configuration. */""
----------------------------------------------------------------------------------