On 18 March 2010 21:57, Jonathan Tripathy <jon...@abpni.co.uk> wrote:
> Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance?
> I literally need postfix to just pass through mail to our ISP's smtp server.
> We would then set outlook to use this local smtp proxy server.

I work for a hosting company, we find it's usually an iterative
process. This particular question hasn't come up yet (for an SMTP
server), but it'd go something like this:

1. Customer needs certification for a contract, so they hire a company
to perform a PCI audit scan
2. The scan finds "problems", so they come to us with the report,
which says how to fix the problems
3. We read the report, and find things like "server exposes its
hostname in the greeting banner", or "server appears to allow the use
of the VRFY command".
4. We sigh, then go through the motions to "fix" the "problems".
Sometimes the problem descriptions are hopelessly vague, like "this
system /may/ be vulnerable to a known buffer overflow", and the system
is fully patched and up to date. Can't do much about these, so we tell
our customer to take it up with the auditor.
5. Rinse and repeat until all perceived problems are fixed, and/or the
customer stops hassling. :)

So, my apologies that this doesn't really answer your question. If you
need compliance certification then you'll need an audit anyway, at
which point you find out what the requirements are.

It's not trivial to simply look up the requirements, because...
PCI-DSS doesn't actually cover specific implementation details. It's
sufficiently vague (probably by design) so that'll it'll stay relevant
as time goes on, and so that current best practices are followed. Have
a look at the PCI spec, it's only half a meg in PDF:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Page 4 is a summary of what you really need to know. Page 6 mentions
segmentation to reduce the scope of what needs to comply - this is
your best bet (if feasible) to sidestep compliance for your mail
server. If you enjoy some light humour, we've elaborated on the
aforementioned process a little:
http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/

> I'm not entirly sure if a "relay" server is good here, as how would that
> handle bounced mail??

Indeed, you want to avoid more relays if you can, both for
administration and compliance reasons. Bounced mail isn't so bad, so
long as there's a return path to the sender's mailbox. A naive example
of how this might work:

Sending: outlook -> workstation -> PCI-compliant relay -> ISP's SMTP
server -> recipient
*it bounces because the recipient's mailbox is full*
Recipient -> MX lookup -> Your incoming SMTP server (maybe this is at
your ISP) -> The sender's mailbox -> Picked up by outlook

Reply via email to