Rocco, I am glad your mail server is now PCI compliant :-)
However as I mentioned earlier, I am not convinced that the PCI DSS are a general security reference by the "international community" except for organisations that process card data such as banks and card merchants. And it does not mean that folks who for other reasons, have implemented any of what PCI says is in compliance with them. -- Hari On 11/29/09 2:18 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:- > Hari, > I forgot to comment about the other extract. > > I might have misunderstood your comment about the IETF. It often happens > when talking about security matters that a 'head in the sand' mentality > shows up. “Is it a standard? Is it necessary? Does it influence my > set-up?” That is why I tried to explain the point of hiding version > information. After revising your comment, I can now see your issue about > the reference to the PCI recommendations. > It might not be of concern to Ugandan industry yet. Processing of > payment/credit card data in on-line applications is not common in Uganda > at the moment. But the international industry has picked up on the > matter and that not only because of the security issues but also because > of business logic. > They can sell and distinguish from other products by implementing the > PCI DSS recommendations into their applications or as a standard > configuration of their products. The value added service is that it is > easier for the end user to pass a compliance test without in depth > alteration of the configuration or application. That is a convincing > selling point. Even web hosting control panels such as Plesk, ISPConfig, > LxAdmin, cPanel, etc start to implement those recommendations into the > standard "server" settings or at least as optionals. Or open source > on-line shop software. Or if you look at the changes in a standard > configured php.ini file of different Linux Distributions over the years. > So even if it’s not an internet standard the PCI DSS recommendations > have gained importance in the industry. E.g. the redpepper.ug website is > not processing credit card information (I suppose), yet the http > server's version information is hidden in the http request header. That > is in accordance with the PCI recommendations even though it wouldn't be > necessary. That could be due to the provider's standard configuration > policy. > > Best regards, > Rocco > > Hari Kurup wrote: >> Rocco, >> >> My point was not about the merits or demerits of hiding version info, >> but about the reference to "PCI" that you gave. If it is a commonly >> referenced security standard, I must have been living under a rock >> because I had never heard of it till today. >> >> While we are at it, why does your own mail server disclose version info? >> >> 220-server.it-doc24.com ESMTP Exim 4.69 >> >> -- >> Hari >> >> On 11/28/09 1:39 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:- >> >>> That is right. Its not a internet standard but a commonly used security >>> standard. Not only for the payment card industry but also for >>> web/internet server/services security audits amongst some other security >>> "recommendations". E.g. in case the website would process credit card >>> information. >>> Whether its a must or not, a standard or a recommendation, just go by >>> logic. Do you want to hand out (disclose) the version information of a >>> running service? Indicating which vulnerabilities the service has? >>> Believing the banner, Postfix 2.3.3 was released in Aug/Oct 2006 ....... >>> >>> Hari Kurup wrote: >>> >>>> On 11/28/09 12:21 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:- >>>> >>>> >>>> >>>>>>> (the version information should be cut out, called banner, its >>>>>>> against >>>>>>> PCI recommendation) >>>>>>> >>>>> https://www.pcisecuritystandards.org/ >>>>> >>>> right, so PCI stands for "Payment Card Industry" >>>> They make standards that apply "to all organizations which hold, >>>> process, or pass cardholder information from any card branded with the >>>> logo of one of the card brands" >>>> (ref: >>>> http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) >>>> >>>> >>>> >>>> As they don't make internet standards (that is the work of the IETF), I >>>> don't see why you would base on their recommendations unless you are >>>> one >>>> of the said organisations. >>>> >>>> -- >>>> Hari >>>> _______________________________________________ >>>> LUG mailing list >>>> [email protected] >>>> http://kym.net/mailman/listinfo/lug >>>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them >>>> (including attachments if any). The List's Host is not responsible for >>>> them in any way. >>>> --------------------------------------- >>>> >>>> >>> _______________________________________________ >>> LUG mailing list >>> [email protected] >>> http://kym.net/mailman/listinfo/lug >>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The List's Host is not responsible for them in any >>> way. >>> --------------------------------------- >>> >>> >> >> _______________________________________________ >> LUG mailing list >> [email protected] >> http://kym.net/mailman/listinfo/lug >> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them >> (including attachments if any). The List's Host is not responsible for >> them in any way. >> --------------------------------------- >> >> > _______________________________________________ > LUG mailing list > [email protected] > http://kym.net/mailman/listinfo/lug > %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The List's Host is not responsible for them in any > way. > --------------------------------------- > _______________________________________________ LUG mailing list [email protected] http://kym.net/mailman/listinfo/lug %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way. ---------------------------------------
