Regarding PCI compliance from docs

Was just reading through the doc and saw the part about PCI compliance at PCI Compliance | Virtualmin — Open Source Web Hosting Control Panel
One thing to note is this one:

Just a heads up for anyone wanting to try this: Outlook does NOT support TLS 1.3, at least for IMAP.

I know people should document themselves properly before tweaking and securing their servers, but maybe some warning on that page would be nice in this regard.
Something like: if you are using Outlook or any other MUA not compatible with TLS 1.3, do not try this.

1 Like

It looks like it is perhaps a minimum so that you don’t use lower like v1.2 or lower?

From /etc/dovecot/conf.d/10-ssl.conf

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

What does Outlook support?

Highest is TLS version 1.2 for Outlook, including the 365 version.

That’s bonkers.

Well, that was unexpected. :wink: No Windows support until Server 2022!

Note

TLS 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration.

Thats the OS, not outlook 365.

OK. I’m finding posts on the Microsoft forum saying it still isn’t supported in Outlook in Auguist, 2024. Much easier to find posts saying why you shouldn’t use V1.2 and below. :frowning:

That’s Microsoft

To get full points on About the email test

I use these settings in postfix, to exlude anything below TLS 1.2, works fine in Outlook:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

smtpd_tls_mandatory_ciphers = medium
smtp_tls_mandatory_ciphers = medium
tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
tls_preempt_cipherlist = yes

tls_ssl_options = NO_COMPRESSION,NO_RENEGOTIATION
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard

also with dnssec and dane:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

and then in dovecot:

ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes

No expert but V1.2 looks unsafe from a quick search. The question is do you want to open up a machine that requires PCI compliance to a known vulnerability because of Outlook? The risks are yours to evaluate and base your personal decisions on.

The risk would be to the clients using older standards. Newer/better mail clients can negotiate a TLS 1.3 connection.

Depends on the cipher.

I think we will migrate to 1.3 fully eventually, but especially for mail it makes sense to keep compatibility.

in the end you would still want to let in mail that is poorly or not encrypted.

If it is really sensitive I think PGP is probably a good option or SMIME.

For people like me sell hosting won’t the settings on

will cause alot of issue seeing a high percentage of clients are using Outlook 365.

Also why is a Payment Card Industry standard a big issue in IMAP?

Maybe a warning on that page like they do on the cpanel docs.

Is PCI compliance required for email services if you aren’t sending any cardholder data via email (which I’m sure isn’t recommended in any case…) or are you running email services on a web server which is handling cardholder data?

Yeah, I have no idea why that doc covers email.

@Ilia do you know where the email stuff in the PCI compliance doc comes from? I don’t recall seeing email covered in PCI requirements.

@Joe, Email services like Postfix or Dovecot are indirectly covered under PCI DSS requirements if they store, process, or connect to systems handling cardholder data.

Since we can’t be certain whether the user’s server will handle cardholder data, I included it just to be safe.

2 Likes

@inteq pointed out a potential problem. I’d at least mention that in the docs and let the user figure out the implications. At least they won’t be caught by surprise.

1 Like

Yeah, I think we just need to provide a warning that Outlook and maybe some other mail clients will not work with TLS 1.3.

Microsoft Outlook appears to be the only one not supporting TLS 1.3. Mozilla Thunderbird and Apple Mail have supported it since 2020.

The note has been added:

3 Likes