Hello Forum Friends,
I’m new to passing PCI Compliance and have the following situation.
I’ve searched our settings and don’t see where to change this to secure??? Please share with me what I am missing. Thank you.
Port: 587, 25
SMTP credentials transmitted unencrypted
The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can intercept traffic between a client and this server, the credentials would be exposed.
Website host says:
This can be disputed. Your email is not hosted on this server and you
have no reason to send sensitive information through those ports. The
SMTP service is only used to send emails generated by your site.
PCI support says:
These ports are part of the scan target that you provided (IP 220.127.116.11) so the finding will need to be addressed. The transmission of cleartext credentials is a violation of PCI DSS section 2.2.2 & 8.4. You need to switch to an encrypted protocol for passing login credentials.
Has anyone experienced this and have a fix that I can do?
Thank you - Kimberly