Re: STARTTLS and PCI requirements

2020-01-02 Thread Jaroslaw Rafa
Dnia 2.01.2020 o godz. 20:09:41 Eero Volotinen pisze: > > Anyway, it's insane to receive PANs (credit card numbers) via email. Stop > doing that. Sending this type of information via e-mail is acceptable only when the e-mail is E2E encrypted (eg. using PGP). Don't rely on transport level encrypt

Re: STARTTLS and PCI requirements

2020-01-02 Thread James B. Byrne
On Thu, January 2, 2020 13:16, Viktor Dukhovni wrote: > > What protocol versions do you have enabled? More likely the issue is > that you've disabled TLS 1.0. > You are correct. Disabling TLSv1 as we were instructed to do by the PCI DSS audit, is the root cause of the problem. This has been

Re: STARTTLS and PCI requirements (postfix-3.3.4)

2020-01-02 Thread Viktor Dukhovni
On Thu, Jan 02, 2020 at 01:02:51PM -0500, James B. Byrne wrote: > The following are the settings in main.cf that have been changed > followed by the commented (#) default values: > > postconf -n | grep smtp | grep tls Whatever you did to post this, thoroughly mangled the output, but amidst the c

Re: STARTTLS and PCI requirements

2020-01-02 Thread Viktor Dukhovni
On Thu, Jan 02, 2020 at 12:55:54PM -0500, James B. Byrne wrote: > > Don't use mail to transport payment data, so PCI is not applicable. > > This advice is not helpful. It is not what we are sending but rather > what we are receiving. We have no control over the information that > our clients se

Re: STARTTLS and PCI requirements

2020-01-02 Thread Viktor Dukhovni
On Thu, Jan 02, 2020 at 06:35:17PM +0100, Bastian Blank wrote: > On Thu, Jan 02, 2020 at 12:16:33PM -0500, James B. Byrne wrote: > > Our revised cipher list is: > > Don't, as long as you don't enforce encryption as well. > Don't use mail to transport payment data, so PCI is not applicable. The ab

Re: STARTTLS and PCI requirements (postfix-3.3.4)

2020-01-02 Thread Eero Volotinen
smtpd_tls_security_level = may With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption. Looks like there is plain text still enabled in your sys

Re: STARTTLS and PCI requirements (postfix-3.3.4)

2020-01-02 Thread James B. Byrne
The following are the settings in main.cf that have been changed followed by the commented (#) default values: postconf mail_version mail_version = 3.3.4 postconf -n | grep smtp | grep tls smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt #smtp_tl

Re: STARTTLS and PCI requirements

2020-01-02 Thread Eero Volotinen
You can't force encryption on smtp or your system fails with clients without ssl enabled. Anyway, it's insane to receive PANs (credit card numbers) via email. Stop doing that. Eero On Thu, Jan 2, 2020 at 8:05 PM James B. Byrne wrote: > > > On Thu, January 2, 2020 12:35, Bastian Blank wrote: >

Re: STARTTLS and PCI requirements

2020-01-02 Thread James B. Byrne
On Thu, January 2, 2020 12:35, Bastian Blank wrote: > On Thu, Jan 02, 2020 at 12:16:33PM -0500, James B. Byrne wrote: >> We recently were forced by our PCI compliance audit to change our >> permissible ciphers. I speculate that this is the source of our >> problem. Our revised cipher list is:

Re: STARTTLS and PCI requirements

2020-01-02 Thread Bastian Blank
On Thu, Jan 02, 2020 at 12:16:33PM -0500, James B. Byrne wrote: > We recently were forced by our PCI compliance audit to change our > permissible ciphers. I speculate that this is the source of our > problem. Our revised cipher list is: Don't, as long as you don't enforce encryption as well. >

STARTTLS and PCI requirements

2020-01-02 Thread James B. Byrne
We have logged this problem with some of our e-mail correspondents: Jan 2 11:32:20 mx31 postfix-p25/smtpd[55167]: connect from rockmx03.rockwool.com[195.191.109.227] Jan 2 11:32:20 mx31 postfix-p25/smtpd[55167]: SSL_accept error from rockmx03.rockwool.com[195.191.109.227]: -1 Jan 2 11:32:20 mx3