On Mon, Sep 5, 2011 at 12:07 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 9/5/2011 10:50 AM, Michael B Allen wrote: >> On Fri, Sep 2, 2011 at 10:19 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >>> On 9/2/2011 2:17 PM, Michael B Allen wrote: >>>> My objectives are not driven by or based on logic. They are based on >>>> the requirements of a consortium of credit card companies and banks. >>> >>> Do they require you to offer STARTTLS on port 25? >> >> My understanding is that PCI compliance requires only that the machine >> processing cardholder data pass a vulnerability scan with no CVE >> vulnerabilities of level 4 or higher. So the presence of SSLv2 in >> general is considered a vulnerability. PCI says nothing of what can be >> running on a machine or what ports they use. > > So the obvious solution is to disable opportunistic STARTTLS on port > 25 until your next upgrade.
Hi Noel, I tried that and I immediately got a call from a customer saying they got a "STARTTLS" error tyring to send me a mail. And they also tried Yahoo mail which I guess doesn't use encryption either (which is slightly surprising actually). So it seems there are quite a few people out there still sending plaintext mail. > Or separate your mail and https servers to different IP addresses so > it's "not the same server". This was actually my first thought. But I think in practice juggling two servers that each handling some requirements will not necessarily be easier than juggling one that handles all of the requirements. Mike
