PCI compliance woes

Post by Jonathan N. Little
I have just three niggling fails with my mailserver. Ubuntu 14.04,
OpenSSL 1.0.2g-fips, Postfix v3.1.0, Dovecot 2.2.22.
(1 & 2) Weak Encryption Algorithms on ports 25 and 587. Listed evidence
TLSv1_1 : AECDH-AES256-SHA
TLSv1_1 : AECDH-AES128-SHA
TLSv1_2 : AECDH-AES256-SHA
TLSv1_2 : AECDH-AES128-SHA
main.cf
...
# disable banned protocals for PCI DSS 3.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
# manditory high level ciphers
smtpd_tls_mandatory_ciphers=high
# enforce the server cipher preference
tls_preempt_cipherlist = yes
# disable following ciphers
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP,
3DES, eNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES,
eNULL
What am I missing?
(3)Unencrypted Communication Channel Accessibility port 25
evidence: Plaintext communication is allowed without a TLS connection
This the server to server connection, can you require TLS and still get
incoming email? I'm getting a bit confused because I thought I read not
all server support it and I do not want prevent receiving email from
others.
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Hi

1&2 : Disable the unsecure algorithm.
3 : Enable STARTTLS on port 25 which permits starting plain texte then switching to tls mode.

Regards
Victor

Jonathan N. Little

2016-07-24 12:21:41 UTC

Post by d***@gmail.com

Hi
1&2 : Disable the unsecure algorithm.

Hi Victor:

I am just not sure of the syntax, do I just need to add '!AECDH' to my
'*_exclude_ciphers' settings?

Post by d***@gmail.com
3 : Enable STARTTLS on port 25 which permits starting plain texte then switching to tls mode.

Is this the answer to my problem and a bit of my confusion:

<http://serverfault.com/questions/661545/certificate-on-port-25-when-trying-to-secure-smtp-with-postfix#answer-662893>

I need to add options for 'smtp' in master.cf
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=no
-o smtpd_tls_security_level=none

to modify for just port 25?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little

2016-07-24 14:27:03 UTC

Post by d***@gmail.com

Hi
1&2 : Disable the unsecure algorithm.

I am just not sure of the syntax, do I just need to add '!AECDH' to my
'*_exclude_ciphers' settings?

Post by d***@gmail.com
3 : Enable STARTTLS on port 25 which permits starting plain texte then
switching to tls mode.

<http://serverfault.com/questions/661545/certificate-on-port-25-when-trying-to-secure-smtp-with-postfix#answer-662893>
I need to add options for 'smtp' in master.cf
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=no
-o smtpd_tls_security_level=none
to modify for just port 25?

Also noticed when I disable TLSv1.0 I start having trouble receiving
mail from some commercial servers, like this one newegg.com where I buy
a lot of hardware:

Jul 24 10:06:33 lws-u1604 postfix/smtpd[25070]: connect from
mta.email.newegg.com[199.122.125.136]
Jul 24 10:06:33 lws-u1604 postfix/smtpd[25070]: SSL_accept error from
mta.email.newegg.com[199.122.125.136]: -1
Jul 24 10:06:33 lws-u1604 postfix/smtpd[25070]: warning: TLS library
problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
Jul 24 10:06:33 lws-u1604 postfix/smtpd[25070]: lost connection after
STARTTLS from mta.email.newegg.com[199.122.125.136]
Jul 24 10:06:33 lws-u1604 postfix/smtpd[25070]: disconnect from
mta.email.newegg.com[199.122.125.136] ehlo=1 starttls=0/1 commands=1/2

It this error really the misconfigured #3 STARTTLS on 25 or is it some
problem with my cipher suite settings?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little

2016-07-26 14:52:54 UTC

Post by Jonathan N. Little
Also noticed when I disable TLSv1.0 I start having trouble receiving
mail from some commercial servers, like this one newegg.com where I buy

And I fixed this by removing TLSv1 from exclusion and adding it back it
the master.cf under submission. That way I am not using TLSv1.0 on
MUA=>MSA where I control the client, but allowing it for MTA=>MTA where
I do not have control over other servers temporarily. This is a
remediation exception for PCI compliance until 2018 when it become
MANDATORY. Hopefully the rest of the mailservers out there will be
upgraded by then.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little

2016-07-26 14:59:37 UTC

Post by d***@gmail.com

Post by Jonathan N. Little
I have just three niggling fails with my mailserver. Ubuntu 14.04,
OpenSSL 1.0.2g-fips, Postfix v3.1.0, Dovecot 2.2.22.

<snip>

Post by d***@gmail.com
3 : Enable STARTTLS on port 25 which permits starting plain texte then
switching to tls mode.

This on I am still stuck on port 25 'Unencrypted Communication Channel
Accessibility' with evidedence:

$ telnet 107.xxx.xxx.75 25
Trying 107.xxx.xxx.75...
Connected to 107.xxx.xxx.75.
Escape character is '^]'.
220 mail.littleworksstudio.com
EHLO 107.xxx.xxx.75
250-mail.littleworksstudio.com
250-PIPELINING
250-SIZE 40960000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: ***@trustwave.com
250 2.1.0 Ok

Okay maybe I do not understand the issue. How to I fix this?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Burkhard Ott

2016-07-28 04:53:13 UTC

Post by Jonathan N. Little
250-STARTTLS

stmp is plain text and you offer starttls, if a client wants to speak
tls, he can. If not it stays plain text.

cheers

Jonathan N. Little

2016-07-28 05:11:53 UTC

Post by Jonathan N. Little
250-STARTTLS

stmp is plain text and you offer starttls, if a client wants to speak
tls, he can. If not it stays plain text.
cheers

My problem is with TrustWave ASV, that to REQUIRE starttls for all
transport is in opposition to RFC 3207 "This rule prevents the STARTTLS
extension from damaging the interoperability of the Internet's SMTP
infrastructure."

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Burkhard Ott

2016-07-31 16:36:47 UTC

Post by Jonathan N. Little
250-STARTTLS

stmp is plain text and you offer starttls, if a client wants to speak
tls, he can. If not it stays plain text.
cheers

Then there is no problem, you offer starttls in your smtp dialog.
I was dealing with the PCI idiots a few years, I love especially the
automated scans, you simply block in your firewall the IPs from their
scan servers and you become fully PCI compliant.
So don't take them too serious, it's a new cash cow, nothing else.
As long as you implement good security measures for your payment
services, you are in a good shape.

Back to your ot, the rules just says trhat you need to disbale plain text
authentication, if that's the case: 'smtpd_tls_auth_only = yes' is what
you are looking for. If a client connects and sends auth, postfix closes
the connection, if the client sends starttls (establishes the ssl
connection usscessfully) and then sends auth, postfix passes it to your
configured auth mechanism (I suppose sasl).

So I think that is what they and you are looking for.
Let me know if that is what you need.

cheers

Jonathan N. Little

2016-07-31 20:39:09 UTC

Post by Jonathan N. Little
250-STARTTLS

stmp is plain text and you offer starttls, if a client wants to speak
tls, he can. If not it stays plain text.
cheers

Ah, that's a good idea!

After a long and frustrating "dialog", since unlike the other AVS
company that I have had to deal with, with TrustWave you cannot actually
talk to a scan tech. You have to have a
script-reader-call-center-associate act as your intermediary.

Post by Burkhard Ott
Back to your ot, the rules just says trhat you need to disbale plain text
authentication, if that's the case: 'smtpd_tls_auth_only = yes' is what
you are looking for.

Which I have.

postconf | grep smtpd_tls_auth_only
smtpd_tls_auth_only = yes

Post by Burkhard Ott
If a client connects and sends auth, postfix closes
the connection,

Which it does and I demonstrated in my communication with them:

### Port 25 does not allow auth MSU must use submission where TLS is
required
# so no credentials compromised
#
telnet mail.littleworksstudio.com 25
Trying 107.170.132.75...
Connected to mail.littleworksstudio.com.
Escape character is '^]'.
220 mail.littleworksstudio.com
ehlo mail.littleworksstudio.com
250-mail.littleworksstudio.com
250-PIPELINING
250-SIZE 40960000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth
503 5.5.1 Error: authentication not enabled

But I am not sure I have server close the connection though, not sure
how to do that.

Post by Burkhard Ott
if the client sends starttls (establishes the ssl
connection usscessfully) and then sends auth, postfix passes it to
your configured auth mechanism (I suppose sasl).

Using Dovecot for sasl:

postconf | grep smtpd_sasl_type
smtpd_sasl_type = dovecot

postconf | grep smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = yes

postconf | grep "^smtpd_relay_restrictions"
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination

Should that be 'reject_unauth_destination'? The default was
'defer_unauth_destination'. What I don't want is to block clients and
companies from being able to send me email...

Post by Burkhard Ott
So I think that is what they and you are looking for. Let me know if
that is what you need.

I have to share with you TrustWave's response that has givine me a
30-day reprieve until my next scan:

<quote>
Dear Sir,

I have contacted a few Scan Analysts and they have agreed to the one
remediation for now.

Because the issue and I quote ''was sort of dropped on us unexpectedly,
and has caused issues'', you may re-dispute the port 25 by adding this
case number only:

#36673732: JONATHAN LITTLE - 39010

i was told that when the Scanning Analysts will see this information,
they shall approve the dispute.
...
</quote>

It is not that I do not want a secure server, I just cannot afford to
break it for the sake of perceived "security". There as be some dramatic
changes in the wild and with Postfix v2.x to v3.x. Just wondering how
others are dealing with it?

Is there some version 3.1 basic example config with PCI DSS in mind?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little

2016-07-26 14:44:53 UTC