SOLVED PCI Compliance and Dovecot

7 posts / 0 new
Topic locked
Last post
#1 Wed, 01/23/2013 - 11:38
fetal

SOLVED PCI Compliance and Dovecot

I'm running into some issues with Dovecot and PCI Compliance.

Specs CentOS release 6.3 (Final) dovecot --version 2.0.9 Virtualmin 3.97

Below is the result of the scan:

Security Warning found on port/service "imap (143/tcp)"

Fail (This must be resolved for your device to be compliant). Plugin "SSL Anonymous Cipher Suites Supported" Synopsis The remote service supports the use of anonymous SSL ciphers.

Security Warning found on port/service "pop3 (110/tcp)" Plugin "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability" Synopsis It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Security Warning found on port/service "imap (143/tcp)"

Fail (This must be resolved for your device to be compliant). Plugin "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability" Synopsis It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

What I have now.

ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA
ssl_key etc/pki/dovecot/private/dovecot.pem
userdb
  driver = passwd
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv

I've also tried with these flags

#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl = required
#ssl_cipher_list = HIGH:!SSLv2:!aNULL:!MD5!DES:!3DES
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

And still no go. Any suggestions? This is driving me crazy as I only need these 3 to pass.

Thanks in advance!

Wed, 01/23/2013 - 11:46
tpnsolutions
tpnsolutions's picture

Hi,

You can read about how to become PCI compliant by visiting:

http://www.virtualmin.com/documentation/security/pci

If you have any questions not covered in that documentation, please feel free to post here.

Best Regards,
Peter Knowles
TPN Solutions

E: pknowles@tpnsolutions.com
P: 604-782-9342
W: http://www.tpnsolutions.com
Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Wed, 01/23/2013 - 14:24
fetal

Thanks for the reply.

I have followed those instructions already, and still seem to fail.

Wed, 01/23/2013 - 17:10 (Reply to #3)
tpnsolutions
tpnsolutions's picture

Hi,

Check out this post, and see it helps:

http://jasonbrown.us/blog/disable_weak_cipher_dovecot

Best Regards,
Peter Knowles
TPN Solutions

E: pknowles@tpnsolutions.com
P: 604-782-9342
W: http://www.tpnsolutions.com
Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Fri, 01/25/2013 - 03:10
fetal

Thanks, but I also had already tried that.

I was able to get it to work with

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL

Only one left is Security Warning found on port/service "pop3 (110/tcp)"

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"

Wed, 02/20/2013 - 01:47
fetal

Now I' m having issues with Dovecot same issue as above.

This is what I've tried.

#PCI COMPLIANCE
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
#ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCMi
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
#ssl_cipher_list = HIGH:MEDIUM:ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

#ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3
Wed, 02/20/2013 - 19:43
fetal

I was finally able to get a pass.

This is what I had in my Dovecot conf.

ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2:+TLSv1.1:+TLSv1.2

Topic locked