SOLVED PCI Compliance and Dovecot

fetal · January 23, 2013, 5:38pm

I’m running into some issues with Dovecot and PCI Compliance.

Specs
CentOS release 6.3 (Final)
dovecot --version
2.0.9
Virtualmin 3.97

Below is the result of the scan:

Security Warning found on port/service “imap (143/tcp)”

Fail (This must be resolved for your device to be compliant).
Plugin “SSL Anonymous Cipher Suites Supported”
Synopsis The remote service supports the use of anonymous SSL ciphers.

Security Warning found on port/service “pop3 (110/tcp)”
Plugin
“SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability”
Synopsis
It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.

Security Warning found on port/service “imap (143/tcp)”

Fail (This must be resolved for your device to be compliant).
Plugin “SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability”
Synopsis It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.

What I have now.


ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA
ssl_key etc/pki/dovecot/private/dovecot.pem
userdb 
  driver = passwd
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv

I’ve also tried with these flags
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl = required #ssl_cipher_list = HIGH:!SSLv2:!aNULL:!MD5!DES:!3DES #ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
And still no go. Any suggestions? This is driving me crazy as I only need these 3 to pass.

Thanks in advance!

tpnsolutions · January 23, 2013, 5:46pm

Hi,

You can read about how to become PCI compliant by visiting:

http://www.virtualmin.com/documentation/security/pci

If you have any questions not covered in that documentation, please feel free to post here.


Best Regards,
Peter Knowles
TPN Solutions
E: pknowles@tpnsolutions.com

P: 604-782-9342

W: http://www.tpnsolutions.com

fetal · January 23, 2013, 8:24pm

Thanks for the reply.

I have followed those instructions already, and still seem to fail.

tpnsolutions · January 23, 2013, 11:10pm

Hi,

Check out this post, and see it helps:

http://jasonbrown.us/blog/disable_weak_cipher_dovecot


Best Regards,
Peter Knowles
TPN Solutions
E: pknowles@tpnsolutions.com

P: 604-782-9342

W: http://www.tpnsolutions.com

fetal · January 25, 2013, 9:10am

Thanks, but I also had already tried that.

I was able to get it to work with

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL

Only one left is
Security Warning found on port/service “pop3 (110/tcp)”

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"

fetal · February 20, 2013, 7:47am

Now I’ m having issues with Dovecot same issue as above.

This is what I’ve tried.


#PCI COMPLIANCE
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
#ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCMi
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2
SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL

#ssl_cipher_list = HIGH:MEDIUM:ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
#ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3

fetal · February 21, 2013, 1:43am

I was finally able to get a pass.

This is what I had in my Dovecot conf.

ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2:+TLSv1.1:+TLSv1.2