PCI fail on SSL2, yet I have disabled it as per instructions online

7 posts / 0 new
Last post
#1 Mon, 06/02/2014 - 07:37
amityweb

PCI fail on SSL2, yet I have disabled it as per instructions online

Does anyone know how to fix the following PCI failures?

I have followed all recommendations online about disabling SSL2 and yet I still get the following PCI fail:

TCP 25 smtp 5.0 Description: SSL Version 2 (v2) Protocol Detection

TCP 25 smtp 4.3 Description: SSL Weak Cipher Suites Supported

TCP 25 smtp 4.3 Description: SSL Medium Strength Cipher Suites Supported

In particular I have done this http://sogoth.com/?p=376 and followed Virtualmins instructions https://www.virtualmin.com/documentation/id,pci_compliant

Thanks

Mon, 06/02/2014 - 10:17
andreychek

Howdy,

Our current PCI documentation is available here:

https://www.virtualmin.com/documentation/security/pci

In particular, for port 25 related issues (which appears to be the issue you're seeing), you'd want to pay special attention to the Postfix sections.

What is the output of "postconf -n"?

-Eric

Mon, 06/02/2014 - 15:05
amityweb

I thought I have implemented all that, thats the issue. I double checked it am sure...

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Tue, 06/03/2014 - 10:18
amityweb

I am very confused by this... I've triple checked all settings online, and yet if I run this command:

openssl s_client -connect myhost.com:25 -starttls smtp -ssl2

I get the following which says SSL2 is being. Is there some other place controlling using SSLs on port 25?

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 538F5A4AF8FA8CB141B4AEEF13A67C6E
    Session-ID-ctx:
    Master-Key: 39BD212345678CB141B4AD9B578DC4C376661A8A6B015F6A
    Key-Arg   : 13178CB141B4A06
    Start Time: 1401806545
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
Tue, 06/03/2014 - 10:27
amityweb

I had to add the following and now I do not get the above Protocol : SSLv@, but get the expected write:errno=54

smtpd_tls_protocols = !SSLv2

This is not in the documentation. It's not on many sites. I stumbled upon this site http://www.howtoforge.com/forums/showthread.php?t=58775 which says its in Postfix 2.6 and later.

I will redo my scan, see if that works.

Tue, 06/03/2014 - 17:15
amityweb

Since adding the line smtpd_tls_protocols = !SSLv2 to postfix, I have had a few POSTFIX SMTP Server errors sent to me, from various sources.

Transcript of session follows.

Out: 220 ac2.amitywebsolutions.co.uk ESMTP Postfix
In:  EHLO DUB004-OMC3S13.hotmail.com
Out: 250-ac2.amitywebsolutions.co.uk
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  STARTTLS
Out: 454 4.7.0 TLS not available due to local problem

Session aborted, reason: lost connection
Thu, 06/05/2014 - 08:54
amityweb

I have had to remove the line "smtpd_tls_protocols = !SSLv2" on one server because people could not send email. So back to square one.

On another server I get these last two issues, I dont know how to fix:

TCP 25 smtp
Description: SSL Weak Cipher Suites Supported


TCP 25 smtp 4.3
Description: SSL Medium Strength Cipher Suites Supported

Note: it should be noted that your instructions DO NOT make a server PCI compliant. I have followed your instructions and still fail SecurityMetrics.

Thanks

Topic locked