Tom,
You can't require it with your version. You need to upgrade and then
hack the registry if you want to do this:
http://support.ipswitch.com/kb/IM-20071231-JH01.htm
The real issue however is when an E-mail client sends in plain-text.
Just because you accept plain-text authentication doesn't mean that
anyone is using it. If they use it, it isn't your server leaking this
data, it is the E-mail client.
These compliance companies sometimes assume things like that everyone is
using Exchange and not a standards-compliant E-mail server.
BTW, you should upgrade anyway because there is more of a threat of 8.x
being hacked than there is of someone's password being compromised
through sniffing.
Matt
Welch, Tom wrote:
I am currently scanning all of my servers, including my IMail server for
PCI compliance. In the report I am failing PCI compliancy because of 2
IMail issues dealing with plaintext authentication on SMTP and POP3.
Here is what they say about SMTP:
THREAT:
Your Mail Server responds to the EHLO command which implies that it uses
the ESMTP protocol. ESMTP uses the AUTH command which indicates
an authentication mechanism to the server. If the server supports the
requested authentication mechanism, it performs an authentication
protocol
exchange to authenticate and identify the user. Optionally, it also
negotiates a security layer for subsequent protocol interactions.
Your server accepts PLAIN or LOGIN as one of the AUTH parameters. The
authentication credentials are transmitted in plaintext over the network
and no encryption is performed.
IMPACT:
Malicious users could obtain mail server credentials by sniffing the
traffic. This can allow unauthorized users to use the mail server as an
open mail
relay. It may also lead to compromise of account credentials that can be
used to access other mail services like POP3 and IMAP.
SOLUTION:
Disable the plaintext authentication methods on your SMTP server for
unencrypted (non-SSL/TLS) sessions. You may consider using more
advanced challenge-based authentication methods like CRAM-MD5 or
DIGEST-MD5.
Please contact your vendor for configuration information. Also check RFC
2554 and RFC 2487 for more details.
RESULT:
EHLO qualysguard.com
250-nt8.aaos.org says hello
250-SIZE 0
250-8BITMIME
250-DSN
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-AUTH LOGIN
250-AUTH=LOGIN
250 EXPN
How do I correct this situation? I think I need to make the AUTH= be
CRAM instead of LOGIN, but am unsure of how to accomplish this
Thanks,
Tom Welch
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
