The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI fails on "SMTP Service Cleartext Login Permitted"

Discussion in 'Security' started by DenRomano, Oct 28, 2016.

Tags:
  1. DenRomano

    DenRomano Member

    Joined:
    Oct 31, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi All,

    I have search far and wide for messages on this so I am going to post and maybe get some answers. We get scans for PCI from securitymetrics and yes it is a pain and yes they are wrong in many ways but I still need to get passed.

    For port 465 we fail on a "SMTP Service Cleartext Login Permitted"

    We paid platinumservermanagement to admin our server and they can not solve this issue and claim it is a cpanel problem. They say they have done the following

    -----------------------------------
    I have already tweaked mail servers settings to fix 'SMTP Service Cleartext Login Permitted' vulnerability.

    WHM Home � Service Configuration � Mailserver Configuration.
    disabled ... Allow Plaintext Authentication

    WHM Home � Service Configuration � Exim Configuration Manager
    Enabled ... Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.

    ---------------------------------

    And we still fail the test and I have called Security Metrics and they do a manual test and say they it does in fact fail. We do have 1 thing that is maybe not normal in our WHM but based on my test this does not seem to be a issue. For the all services we have them protected not by the server's SSL but another SSL for our domain since Security Metrics does not like to see a SSL with the server's name (server.mydomain.com) and wants to ONLY see certs from example.com

    Any ideas how I can pass?
     
    #1 DenRomano, Oct 28, 2016
    Last edited by a moderator: Oct 28, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @DenRomano,

    Here's the relevant section from our PCI compliance document:

    Could you consult with SecurityMetrics again and ask them to provide specific information about the steps they are using to manually reproduce plaintext authentication over port 465?

    Regarding the SSL certificate for the hostname, cPanel version 60 implements Domain TLS to allow for per-domain service certificates:

    60 Release Notes - Documentation - cPanel Documentation

    Additional information about Domain TLS is available at:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    Here's a quote from the release notes:

    Let us know if you have any additional questions.

    Thank you.
     
  3. DenRomano

    DenRomano Member

    Joined:
    Oct 31, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Here is what they said to your request


    Code:
    
    openssl s_client -connect [URL='http://www.example.com:465CONNECTED(00000003/']www.example.com:465CONNECTED(00000003[/URL])
    
    
    
    EHLO
    
    [URL='http://250-server.example.com/']250-server.example.com[/URL] Hello  [70.103.xxx.xx]
    
    250-SIZE 52428800
    
    250-8BITMIME
    
    250-PIPELINING
    
    250-AUTH PLAIN LOGIN
    
    250 HELP
    
    AUTH PLAIN
    
    334
    
    AUTH LOGIN
    
    535 Incorrect authentication data
    
    
    
    
    
    Regards,
    
    
     
    #3 DenRomano, Oct 28, 2016
    Last edited by a moderator: Oct 28, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The following Exim document explains how the "tls_on_connect_ports" option works for port 465:

    42. Encrypted SMTP connections using TLS/SSL

    Here's the relevant section:

    You can browse to "WHM >> Exim Configuration Manager >> Advanced Editor" and remove port 465 from the tls_on_connect_ports option to ensure PCI compliance passes.

    Thank you.
     
Loading...

Share This Page