Does anyone know how to fix the following PCI failures?
I have followed all recommendations online about disabling SSL2 and yet I still get the following PCI fail:
TCP 25 smtp 5.0
TCP 25 smtp 4.3
TCP 25 smtp 4.3
In particular I have done this http://sogoth.com/?p=376 and followed Virtualmins instructions https://www.virtualmin.com/documentation/id,pci_compliant
Thanks
Eric
June 2, 2014, 3:17pm
2
Howdy,
Our current PCI documentation is available here:
https://www.virtualmin.com/documentation/security/pci
In particular, for port 25 related issues (which appears to be the issue you’re seeing), you’d want to pay special attention to the Postfix sections.
What is the output of “postconf -n”?
-Eric
I thought I have implemented all that, thats the issue. I double checked it am sure…
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
I am very confused by this… I’ve triple checked all settings online, and yet if I run this command:myhost.com:25 -starttls smtp -ssl2
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 538F5A4AF8FA8CB141B4AEEF13A67C6E
Session-ID-ctx:
Master-Key: 39BD212345678CB141B4AD9B578DC4C376661A8A6B015F6A
Key-Arg : 13178CB141B4A06
Start Time: 1401806545
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I had to add the following and now I do not get the above Protocol : SSLv@, but get the expected write:errno=54
smtpd_tls_protocols = !SSLv2
This is not in the documentation. It’s not on many sites. I stumbled upon this site http://www.howtoforge.com/forums/showthread.php?t=58775 which says its in Postfix 2.6 and later.
I will redo my scan, see if that works.
Since adding the line smtpd_tls_protocols = !SSLv2 to postfix, I have had a few POSTFIX SMTP Server errors sent to me, from various sources.
Transcript of session follows.
Out: 220 ac2.amitywebsolutions.co.uk ESMTP PostfixDUB004-OMC3S13.hotmail.com 250-ac2.amitywebsolutions.co.uk
Session aborted, reason: lost connection
I have had to remove the line “smtpd_tls_protocols = !SSLv2” on one server because people could not send email. So back to square one.
On another server I get these last two issues, I dont know how to fix:
TCP 25 smtp
Description: SSL Weak Cipher Suites Supported
TCP 25 smtp 4.3
Note: it should be noted that your instructions DO NOT make a server PCI compliant. I have followed your instructions and still fail SecurityMetrics.
Thanks