I'm pulling my hair out with this one. I need to make the server PCI
compliant and we are still failing the test because we accept SSLv2
connections. I'm running Postfix 2.5.1 on a Fedora machine, and here is
my postconf:
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mail.network.com, localhost, localhost.localdomain
myhostname = mail.network.com
mynetworks = 127.0.0.0/8, 192.168.0.0/24
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mail.network.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.network.com.key
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 450
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
Now I know I posted the other day about disabling SSLv2, but if I add
the "smtpd_tls_security_level = encrypt" line to my config, I can no
longer receive mail from outside sources (Gmail, Yahoo, etc.). So while
it does disable SSLv2 connections, it does not allow outside email to
come in.
For anyone who has done PCI compliance in the past, am I going to have
to have 2 email servers; 1 to accept incoming email and 1 that is fully
encrypted for the actual email store?
Thanks for any tips!
