Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI Scan failing on SMTP Service Cleartext Login Permitted

Discussion in 'E-mail Discussion' started by Daniel Yi, Jun 4, 2018.

Tags:
  1. Daniel Yi

    Daniel Yi Member

    Joined:
    Nov 7, 2017
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    Hello everyone.

    Our latest PCI Compliancy scan is failing on "SMTP Service Cleartext Login Permitted" on port 465. It's saying that the server is advertising PLAIN or LOGIN, and to only allow less secure connections via secured channels.

    I've actually read just about every article and forum post online regarding this, but I still cannot figure out a way to pass.

    I've set:
    - WHM > Service Configuration > Mailserver Configuration > Allow Plaintext Authentication = Disabled
    - WHM > Service Configuration > Exim Configuration Manager > Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server = Enabled
    - tls_on_connect_ports = Removing 465 breaks our emails.. So that's a no-go.

    Would appreciate some help in resolving this. Thank you!
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Daniel Yi,

    The following Exim document explains how the "tls_on_connect_ports" option works for port 465:

    42. Encrypted SMTP connections using TLS/SSL

    Here's the relevant section:

    I recommend reporting this as a false positive to your PCI compliance provider and referencing the documentation above.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Daniel Yi

    Daniel Yi Member

    Joined:
    Nov 7, 2017
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    Maybe I'm not understanding correctly, but based on the information you provided, I'm not sure how that proves that the fail can be classified as a false positive.

    Either way, I've emailed them with the info asking if they can submit it as a false positive. I'll update once I hear back.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Daniel Yi,

    It's considered a false positive because cleartext logins aren't actually transmitted over port 465 when Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server is enabled.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Daniel Yi

    Daniel Yi Member

    Joined:
    Nov 7, 2017
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    Gotcha!
     
    cPanelMichael likes this.
  6. Daniel Yi

    Daniel Yi Member

    Joined:
    Nov 7, 2017
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    How about for port 587? I'm getting a fail on both 465 and 587.
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    It's also a false positive since "Require clients to connect with SSL or issue starttls command before they are allowed to authenticate with the server" applies to all SMTP connections. This option prevents the plaintext transmission of authentication credentials. You can test this yourself by trying to authenticate over port 587 with telnet:

    Code:
    # telnet 1.2.3.4 587
    Trying 1.2.3.4...
    Connected to 1.2.3.4.
    Escape character is '^]'.
    220-123.hostname.tld ESMTP Exim 4.91 #1 Wed, 06 Jun 2018 09:14:59 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    EHLO domain.tld
    250-123.hostname.tld Hello domain.tld [1.2.3.4]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-STARTTLS
    250 HELP
    AUTH LOGIN
    503 AUTH command used when not advertised
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice