PCI fail on SSL2, yet I have disabled it as per instructions online

Does anyone know how to fix the following PCI failures?

I have followed all recommendations online about disabling SSL2 and yet I still get the following PCI fail:

TCP 25 smtp 5.0
Description: SSL Version 2 (v2) Protocol Detection

TCP 25 smtp 4.3
Description: SSL Weak Cipher Suites Supported

TCP 25 smtp 4.3
Description: SSL Medium Strength Cipher Suites Supported

In particular I have done this http://sogoth.com/?p=376 and followed Virtualmins instructions https://www.virtualmin.com/documentation/id,pci_compliant



Our current PCI documentation is available here:


In particular, for port 25 related issues (which appears to be the issue you’re seeing), you’d want to pay special attention to the Postfix sections.

What is the output of “postconf -n”?


I thought I have implemented all that, thats the issue. I double checked it am sure…

alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual

I am very confused by this… I’ve triple checked all settings online, and yet if I run this command:

openssl s_client -connect myhost.com:25 -starttls smtp -ssl2

I get the following which says SSL2 is being. Is there some other place controlling using SSLs on port 25?

New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher : DES-CBC3-MD5 Session-ID: 538F5A4AF8FA8CB141B4AEEF13A67C6E Session-ID-ctx: Master-Key: 39BD212345678CB141B4AD9B578DC4C376661A8A6B015F6A Key-Arg : 13178CB141B4A06 Start Time: 1401806545 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)

I had to add the following and now I do not get the above Protocol : SSLv@, but get the expected write:errno=54

smtpd_tls_protocols = !SSLv2

This is not in the documentation. It’s not on many sites. I stumbled upon this site http://www.howtoforge.com/forums/showthread.php?t=58775 which says its in Postfix 2.6 and later.

I will redo my scan, see if that works.

Since adding the line smtpd_tls_protocols = !SSLv2 to postfix, I have had a few POSTFIX SMTP Server errors sent to me, from various sources.

Transcript of session follows.

Out: 220 ac2.amitywebsolutions.co.uk ESMTP Postfix
In: EHLO DUB004-OMC3S13.hotmail.com
Out: 250-ac2.amitywebsolutions.co.uk
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-8BITMIME
Out: 250 DSN
Out: 454 4.7.0 TLS not available due to local problem

Session aborted, reason: lost connection

I have had to remove the line “smtpd_tls_protocols = !SSLv2” on one server because people could not send email. So back to square one.

On another server I get these last two issues, I dont know how to fix:

TCP 25 smtp Description: SSL Weak Cipher Suites Supported

TCP 25 smtp 4.3
Description: SSL Medium Strength Cipher Suites Supported

Note: it should be noted that your instructions DO NOT make a server PCI compliant. I have followed your instructions and still fail SecurityMetrics.