PCI Vulnerability: SMTP unencrypted


#1

Hello Forum Friends,

I’m new to passing PCI Compliance and have the following situation.
I’ve searched our settings and don’t see where to change this to secure??? Please share with me what I am missing. Thank you.

IP Address(es):
208.113.252.162
Port: 587, 25
Vulnerability:
SMTP credentials transmitted unencrypted
The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can intercept traffic between a client and this server, the credentials would be exposed.

Website host says:
This can be disputed. Your email is not hosted on this server and you
have no reason to send sensitive information through those ports. The
SMTP service is only used to send emails generated by your site.

PCI support says:
These ports are part of the scan target that you provided (IP 208.113.252.162) so the finding will need to be addressed. The transmission of cleartext credentials is a violation of PCI DSS section 2.2.2 & 8.4. You need to switch to an encrypted protocol for passing login credentials.

Has anyone experienced this and have a fix that I can do?

Thank you - Kimberly


#2

You should open a ticket. Support can help with PCI compliance issues.


#3

Yes, My ticket is two days old with no reply from support yet :frowning:
So, I was hoping the forum may assist and I could fix it myself. Thank you.

-Kimberly


#4

You may need to move to vps or greater where you have more complete control.


#5

— Thank you LakeRat. I would be open to doing that if it would fix the issue.
Look, Support ticket is over 8 business days old. Is this type of support time typical in your experience or do I have a particularly difficult issue? I would love a response from support today. —

Chip Lewis 08/03/2015 11:20:48 AM This vulnerability is due to the passing of login credentials unencrypted, not the email itself. A telnet to port 25 at 208.113.252.162 confirms that plaintext login is allowed.

MS User 07/30/2015 05:17:10 PM All email on this domain are only being checked via TSL in gmail settings. See screenpicture of gmail settings that are set to secure.

Message from you (Jul 27, 2015 - 11:38:36 / #6918962)
Subject: PCI Vulnerability: Disable SMTP plaintext authentication
Dear DreamHost,

For Ashleypaquin.com we are trying to pass PCI Scan.
There is a vulnerability:

Undefined CVE, SMTP credentials transmitted unencrypted

protocol: tcp
ports: 25, 587

Is there a setting change to use TLS or SSL?

Thank you for your guidance.
-Kimberly


#6

no it’s not at all. I’ve never had a support ticket stay open for more than 24 hours that I can remember.

If 208.113.252.162 is an IP address pointing to a shared server I don’t think this can be solved. You haven’t said what dreamhost service you are using, but a change to port 25 on a shared server is going to effect everyone on the server. If you have another dreamhost service you can solve it.


#7

Update: Moved from shared hosting to VPS.

Working to resolve PCI Compliance vulnerability:
"Chip Lewis 08/03/2015 11:20:48 AM This vulnerability is due to the passing of login credentials unencrypted, not the email itself. A telnet to port 25 at 208.113.252.162 confirms that plaintext login is allowed.
The transmission of cleartext credentials is a violation of PCI DSS section 2.2.2 & 8.4. You need to switch to an encrypted protocol for passing login credentials. "

Where do I change / what do I change on port 25?

Thank you
(will be so happy when we pass compliance…atleast for 90 days)
-Kimberly