The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mail service allows plaintext using courier mail server fail PCI

Discussion in 'E-mail Discussions' started by vincentg, Sep 4, 2014.

  1. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    We set the server to use Secure mail but it fails PCI tests

    What I see is for Courier is Protocols Enabled

    It does not have a plaintext setting so Protocols Enabled must be the solution

    We disable IMAPD and POP3D and it should be good.

    But if we disable IMAPD we find that Webmail no longer works.

    OK - what's the solution for this?

    PCI error is as follows

    The following two commands were sent in a single packet

    STLS\r\
    CAPA\r\

    It got back
    +OK Begin SSL/TLS negotiation now.
    +OK Here's what I can do
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you let us know what PCI compliance scan you used? Also, could you paste the full output of the error in CODE tags, or was the information in your first post all that was provided?

    Thank you.
     
  3. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    The test was pop3 port 110

    And that was the full failed code sent with response

    It ended with CVE:CVE-2011-0411
    BID:46767

    Also given other references which is in a PDF report given me.

    The company is panopticsecurity.com

    I think the solution is to disable IMAPD and POP3D but as I stated if we do that we no longer have Webmail as all webmail uses port 143 which is the non secure imap port

    At present I believe we are safe as we have satisfied the PCI people for now since they are only testing port 110
    But I have a feeling that sooner or later they will also test Imap on 143

    In any event web mail should still work if one disables IMAPD and POP3D - don't you think?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    CVE-2011-0411 is a report against Postfix, not Courier or Dovecot. You should report this to the PCI scanning company and let them know you are not using Postfix on your system.

    Thank you.
     
  5. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Would be nice if these testing companies understood what they were enforcing.

    They passed my scan.
     
  6. aelgate3

    aelgate3 Registered

    Joined:
    Oct 13, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello.......

    I have a similar problem I think.
    What did you tell them at the end of the day vincentg?
    Thanks
     
  7. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I did not disable any protocols as it will cause problems.
    For one Webmail will no longer work should you disable IMAPD if I remember right.

    I just complained to the test company and they passed it.

    Their main concern was if we used email to pass credit card info or passwords.
    I told them we don't use email for anything other than common communication.
    We don't use it to gather credit card details or use it to pass passwords.
    We follow same standards as a bank would.

    After I told them that they passed it.
     
  8. aelgate3

    aelgate3 Registered

    Joined:
    Oct 13, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    thanks for your answer...also I don't use email to pass credit card info or passwords anyway..I have mention it to them let's see what it will happen
     
  9. aelgate3

    aelgate3 Registered

    Joined:
    Oct 13, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    My scan pass...I just writing what I have mention them so if someone else has got the same problem can see it
    ------------------------------------------------------------------------------------------------------------------


    I am writing this regarding the false positive.
    I will explain the reasons why I believe that is false/positive

    1) The error CVE-2011-0411 is applied to postfix. My server is not installed with Postfix but with courier and dovecot
    The below link is for reference
    http://forums.cpanel.net/f43/mail-s...sing-courier-mail-server-fail-pci-426422.html

    Also those 2 links are reference that Cpanel is not use Postfix

    Dear CPanel. You need to support Postfix. I’ll even ask nicely. - Welcome to Nowhere

    http://forums.cpanel.net/f5/where-does-postfix-get-installed-default-114809.html


    2) Also we enabled "connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" setting in exim configuration.
    3) We tried also to disable IMAPD and POP3D but after this Webmail no works
    4) Please read the whole forum link that I gave you before
    http://forums.cpanel.net/f5/where-does-postfix-get-installed-default-114809.html
    They mentioned the same problems with panopticsecurity before some months and after this you accept the error as false/positive
    For those reasos as you can understand its not false positive


    Some other reasons why need to be done as false positive
    1)The specific server (213.175.193.247) use only files regarding the payment method (Emerchantpay). I don't have any other site on that server.Also the main website (domain.com) is not hosted to that server.

    What does that mean?

    It means that I don't send any e-mail with credit cards or passwords when the transaction will complete to the customer or to somewhere else. Also that means at all I don't use e-mail.

    How can you confirm this?
    You can asked our payment provider (emerchantpay). We enable e-mail notifications by their control panel and they are doing the ''job'' of sending e-mails by their server..

    Reference from exim that they mention it as '' Extra paranoia around STARTTLS-with-data-in-buffer.'' but not vurnenable

    https://lists.exim.org/lurker/message/20110324.091715.d5e73afd.es.html
    ------------------------------------------------------------------------------
    ''+ /* There's an attack where more data is read in past the STARTTLS command
    + before TLS is negotiated, then assumed to be part of the secure session
    + when used afterwards; we use segregated input buffers, SO ARE NOT
    + VURNENABLE, but we want to note when it happens and, for sheer paranoia,
    + ensure that the buffer is "wiped".
    + Pipelining sync checks will normally have protected us too, unless disabled
    + by configuration. */""
    ----------------------------------------------------------------------------------
     
Loading...

Share This Page