PCI Scan failing on SMTP Service Cleartext Login Permitted

[Daniel Yi]

Hello everyone.

Our latest PCI Compliancy scan is failing on "SMTP Service Cleartext Login Permitted" on port 465. It's saying that the server is advertising PLAIN or LOGIN, and to only allow less secure connections via secured channels.

I've actually read just about every article and forum post online regarding this, but I still cannot figure out a way to pass.

I've set:
- WHM > Service Configuration > Mailserver Configuration > Allow Plaintext Authentication = Disabled
- WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled
- tls_on_connect_ports = Removing 465 breaks our emails.. So that's a no-go.

Would appreciate some help in resolving this. Thank you!

 

[cPanelMichael]

WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled

Hello @Daniel Yi,

The following Exim document explains how the "tls_on_connect_ports" option works for port 465:

42. Encrypted SMTP connections using TLS/SSL

Here's the relevant section:

4. Support for the obsolete SSMTP (or SMTPS) protocol
Exim supports the obsolete SSMTP protocol (also known as SMTPS) that was used before the STARTTLS command was standardized for SMTP. Some legacy clients still use this protocol. If the tls_on_connect_ports option is set to a list of port numbers or service names, connections to those ports must use SSMTP. The most common use of this option is expected to be

tls_on_connect_ports = 465

because 465 is the usual port number used by the legacy clients. There is also a command line option -tls-on-connect, which forces all ports to behave in this way when a daemon is started.

Warning: Setting tls_on_connect_ports does not of itself cause the daemon to listen on those ports. You must still specify them in daemon_smtp_ports, local_interfaces, or the -oX option. (This is because tls_on_connect_ports applies to inetd connections as well as to connections via the daemon.)

I recommend reporting this as a false positive to your PCI compliance provider and referencing the documentation above.

Thank you.

 

[Daniel Yi]

Maybe I'm not understanding correctly, but based on the information you provided, I'm not sure how that proves that the fail can be classified as a false positive.

Either way, I've emailed them with the info asking if they can submit it as a false positive. I'll update once I hear back.

 

[cPanelMichael]

Hello @Daniel Yi,

It's considered a false positive because cleartext logins aren't actually transmitted over port 465 when Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server is enabled.

Thank you.

 

[Daniel Yi]

Gotcha!

 

[Daniel Yi]

How about for port 587? I'm getting a fail on both 465 and 587.

 

[cPanelMichael]

How about for port 587? I'm getting a fail on both 465 and 587.

It's also a false positive since "Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server" applies to all SMTP connections. This option prevents the plaintext transmission of authentication credentials. You can test this yourself by trying to authenticate over port 587 with telnet:

# telnet 1.2.3.4 587
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
220-123.hostname.tld ESMTP Exim 4.91 #1 Wed, 06 Jun 2018 09:14:59 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
EHLO domain.tld
250-123.hostname.tld Hello domain.tld [1.2.3.4]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
AUTH LOGIN
503 AUTH command used when not advertised

Thank you.