I am currently scanning all of my servers, including my IMail server for PCI compliance. In the report I am failing PCI compliancy because of 2 IMail issues dealing with plaintext authentication on SMTP and POP3. Here is what they say about SMTP:
THREAT: Your Mail Server responds to the EHLO command which implies that it uses the ESMTP protocol. ESMTP uses the AUTH command which indicates an authentication mechanism to the server. If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the user. Optionally, it also negotiates a security layer for subsequent protocol interactions. Your server accepts PLAIN or LOGIN as one of the AUTH parameters. The authentication credentials are transmitted in plaintext over the network and no encryption is performed. IMPACT: Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as an open mail relay. It may also lead to compromise of account credentials that can be used to access other mail services like POP3 and IMAP. SOLUTION: Disable the plaintext authentication methods on your SMTP server for unencrypted (non-SSL/TLS) sessions. You may consider using more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5. Please contact your vendor for configuration information. Also check RFC 2554 and RFC 2487 for more details. RESULT: EHLO qualysguard.com 250-nt8.aaos.org says hello 250-SIZE 0 250-8BITMIME 250-DSN 250-ETRN 250-AUTH LOGIN CRAM-MD5 250-AUTH LOGIN 250-AUTH=LOGIN 250 EXPN How do I correct this situation? I think I need to make the AUTH= be CRAM instead of LOGIN, but am unsure of how to accomplish this Thanks, Tom Welch To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
