On 05/14/2013 05:05 PM, Viktor Dukhovni wrote:
Don't listen to brainless auditors wielding checklists.
Unfortunately you have to. They may be wrong but you're not going to pass PCI compliance scans unless you jump through their stupid hoops. I recommend that you don't put your MTA on the same server that you run your ecommerce apps on anyways, then you don't have to worry about passing PCI scans on the MTA.
As for this particular issue, I believe you can work around it to the satisfaction of the auditors by disabling any CBC ciphers. You can use the command, "openssl ciphers" for a list, and then set smtpd_tls_exclude_ciphers to any that have CBC in the name. No need to worry about smtp ciphers as the scanner can't detect those anyways.
Peter
