[AusNOG] Issues receiving from TPG Mail servers.

Bradley Silverman bsilverman at staff.ventraip.com
Mon Jul 23 22:56:05 EST 2018 

Hi Mark,

Exim has two types of receiving:
Authenticated Mail
Un-authenticated mail.

The difference is that when using the server for Authenticated mail, the
user must supply valid credentials in order to send mail through it. This
is what you would use for a mail client, such as Outlook. The connecting
server (unless it is an open relay) requires that you provide details in
order to send mail through it, and then that server will forward it on to
the next server.
If you do this, and that server is used for payments and the like, the then
you must comply with PCI. In a cPanel environment, where mail and hosting
are on the same server, this isn't optional if we wish to tell customers
that the servers there data is on is PCI compliant.

Un-authenticated mail, however, doesn't require credentials in order to
accept mail, however, unless that server is relay, it also won't pass that
mail on. It would only accept mail from a server if the mailbox was
actually on it. So when a sending MTA sends mail to us, our server will
accept it if the email account is on that server.
This *doesn't* require authentication and thus no username or password are
supplied. As such encryption isn't required because there are no details to
steal, unless as someone pointed out, you're silly enough to send credit
card details via email.

I appreciate everyone's help, and I do understand where you are all coming
from. But I assure you:
- Both mail and web hosting will almost always be on the same server in a
shared hosting environment.
- If the same server is both hosting websites that have credit card
details, and having a mail program such as Exim, then Exim must comply with
PCI.
- If you do plan on having both on the same server, the server must comply
with the minimum highest spec to qualify (since there is web hosting that
requires high levels of encryption, the mail also requires it, where as if
the mail server was by itself you could use a lesser encryption.

Please don't think I am not thankful for all your help, I just wanted to
make it clear what we've been told and what I understand from my own
research.

You are all right that in a perfect world they would be on totally seperate
servers, but for shared hosting this is almost always not going to be the
case!

Thanks again guys!

Regards,

Bradley Silverman | VentraIP Australia
*Technical Operations*

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 7:34 PM, James Hodgkinson <yaleman at ricetek.net>
wrote:

> I think we all need to step back a bit, let OP do what his auditor feels
> is right, then thank him on behalf of EFF’s StartTLSEverywhere project...
> [1]
>
> ;)
>
> James
>
> [1] https://starttls-everywhere.org
>
>
> On Mon, 23 Jul 2018, at 18:21, Mark Foster wrote:
>
> Maybe i've missed something. Email is valid to shift around in plain text.
> TLS 1.0 might not be acceptable if you're talking minimum encryption
> standards, but I agree with the posters that point out that the Payment
> Card environment should have no dependencies on any email exchange with
> third parties.  This sounds to me like a box-ticking exercise where the
> right action on the public internet is to generally support the lowest
> common denominator unless it's insecure to do so - and in the case of
> email, you have to assume all transactions are insecure anyway unless you
> have end-to-end controls in place (which clearly you don't in this case if
> TPG is one end!)
>
> In the end you should be able to exchange email with TPG without any
> encryption at all and it shouldn't affect your compliance, surely?! As you
> can't be held responsible for a third party system and shouldn't be
> dependent on its status for your compliance as a result.
>
> Disclaimer: Have never tried to seek PCI compliance in any system i've
> operated.
>
> Mark.
>
> On 23/07/2018 7:03 PM, Paul Wilkins wrote:
>
> PCI spec is pretty clear you're to have separation (virtual/physical)
> between PCI and other environments.
>
> OTOH, TPG SLA's do not require TLS1.0+.
>
> Someone is going to have to sling for an external MTA.
>
> Kind regards
>
> Paul Wilkins
>
> On 23 July 2018 at 16:01, Michael Junek <michael at juneks.com.au> wrote:
>
> Just being the 'mean security consultant'  - the security level of each
> system could easily be argued - email would be considered low security for
> compatibility (which technically means that TLS1.0/SSL3 etc is
> acceptable) ; whereas the web servers are considered high security handling
> CHD, which means that they should covered under the full encrypted spec. It
> would also mean if that was considered, that 2.2.1 would apply, and
> seperation of function would be required.
>
>
>
> ------------------------------
>
> *From:* Bradley Silverman <bsilverman at staff.ventraip.com>
> *Sent:* Monday, 23 July 2018 15:56
> *To:* Michael Junek
> *Cc:* Mark Newton; ausnog at lists.ausnog.net
>
> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.
>
>
> @Michael - That's what we are looking at doing, though it will be a pain.
> Not sure how to go about doing it with Exim & cPanel but will start looking
> into it.
>
> Re 2.2.1, it won't fail if they have the same security level, which is
> what we are trying to accomplish by bringing TPG into spec. DNS is on
> separate servers, and the database connection isn't publicly accessible.
>
> Really appreciate the help with this gents. Hopefully TPG get back in
> touch with me else we will have to investigate ways of blocking TLS
> handshakes from TPG.
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
>
> On Mon, Jul 23, 2018 at 3:48 PM, Michael Junek <michael at juneks.com.au>
> wrote:
>
> On the PCI Audit side of things, however, I think the shared hosting such
> as CPanel servers will fail PCI based on requirement 2.2.1 regardless--
>
>
> "
>
> Implement only one primary function per server to prevent functions that
> require different security levels from co-existing on the same server. (For
> example, web servers, database servers, and DNS should be implemented on
> separate servers.)
>
> "
>
>
>
>
>
> ------------------------------
>
> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Bradley
> Silverman <bsilverman at staff.ventraip.com>
> *Sent:* Monday, 23 July 2018 15:40
> *To:* Mark Newton
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.
>
>
> @Michael - I agree that turning it off is the best way of solving it, the
> issue is we don't have the servers forcing TLS, that's TPG.
>
> @Mark - These are shared hosting servers, think cPanel & Plesk. The one
> server is both mail, and website. Which means that the server has websites
> that accept credit card payments, and therefore is subject to PCI. Any
> system that is on that server is required to comply with PCI.
>
> If the server was website only, then I'd agree 100% that it would be out
> of scope for PCI, but since the same server runs both email and websites
> for shared hosting customers, it is in scope.
>
> We have zero issue with any other MTA, it is only these TPG MTA's that are
> forcing both TLSv1.0 and an old cipher. If they either turned off TLS or
> upgraded to TLSv1.2 they would be up to spec.
>
> But we either have to make the decision to block TPG from being able to
> send to the 100,000s of email accounts we have, or make it so that none of
> our customers servers are PCI compliant. I'd rather speak to TPG and work
> with them to fix the underlying problem.
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
>
> On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton <newton at atdot.dotat.org>
> wrote:
>
> But PCI Compliance only applies to the Cardholder Data Environment.
>
> Why on earth would you have a mail server in the Cardholder Data
> Environment?
>
> And if it isn’t in the CDE: You can run whatever version of TLS you want,
> and it’s none of PCI’s business.
>
>
>   - mark
>
>
>
>
> On Jul 23, 2018, at 3:06 PM, Bradley Silverman <
> bsilverman at staff.ventraip.com> wrote:
>
> Hi Matt,
>
> Really appreciate you sending me that email, I will definitely send an
> email through to there!
>
> @Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on
> the server. Postifx/Exim/Dovecot are not exception to the rule, if we
> disable TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs
> aren't able to send mail to us.
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
>
> On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton <newton at atdot.dotat.org>
> wrote:
>
> You’re trying to exchange payment card information over email?
>
>
>   - mark
>
> On Jul 23, 2018, at 1:30 PM, Bradley Silverman <
> bsilverman at staff.ventraip.com> wrote:
>
> Does anyone have a contact at TPG regarding their mail servers?
>
> We are having issues with their mail servers using non-PCI compliant
> ciphers which is stopping our servers accepting mail from them.
>
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> *_______________________________________________*
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180723/b61ec273/attachment-0001.html>

More information about the AusNOG mailing list