On 9/5/2011 11:19 AM, Michael B Allen wrote: > On Mon, Sep 5, 2011 at 12:07 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> On 9/5/2011 10:50 AM, Michael B Allen wrote: >>> On Fri, Sep 2, 2011 at 10:19 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >>>> On 9/2/2011 2:17 PM, Michael B Allen wrote: >>>>> My objectives are not driven by or based on logic. They are based on >>>>> the requirements of a consortium of credit card companies and banks. >>>> >>>> Do they require you to offer STARTTLS on port 25? >>> >>> My understanding is that PCI compliance requires only that the machine >>> processing cardholder data pass a vulnerability scan with no CVE >>> vulnerabilities of level 4 or higher. So the presence of SSLv2 in >>> general is considered a vulnerability. PCI says nothing of what can be >>> running on a machine or what ports they use. >> >> So the obvious solution is to disable opportunistic STARTTLS on port >> 25 until your next upgrade. > > Hi Noel, > > I tried that and I immediately got a call from a customer saying they > got a "STARTTLS" error tyring to send me a mail. And they also tried > Yahoo mail which I guess doesn't use encryption either (which is > slightly surprising actually). So it seems there are quite a few > people out there still sending plaintext mail.
Get your users to configure their mailer to send to either port 587/submission or the legacy 465/smtps, and configure postfix for mandatory encryption on those ports. This is good practice regardless of PCI requirements. > >> Or separate your mail and https servers to different IP addresses so >> it's "not the same server". > > This was actually my first thought. But I think in practice juggling > two servers that each handling some requirements will not necessarily > be easier than juggling one that handles all of the requirements. One server; configure apache to listen on a different IP. -- Noel Jones
