<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div>I think we all need to step back a bit, let OP do what his auditor feels is right, then thank him on behalf of EFF’s StartTLSEverywhere project... [1]<br></div>
<div><br></div>
<div>;)</div>
<div><br></div>
<div>James<br></div>
<div><br></div>
<div>[1] <a href="https://starttls-everywhere.org">https://starttls-everywhere.org</a><br></div>
<div><br></div>
<div><br></div>
<div>On Mon, 23 Jul 2018, at 18:21, Mark Foster wrote:<br></div>
<blockquote type="cite"><p>Maybe i've missed something. Email is valid to shift around in
      plain text. TLS 1.0 might not be acceptable if you're talking
      minimum encryption standards, but I agree with the posters that
      point out that the Payment Card environment should have no
      dependencies on any email exchange with third parties.  This
      sounds to me like a box-ticking exercise where the right action on
      the public internet is to generally support the lowest common
      denominator unless it's insecure to do so - and in the case of
      email, you have to assume all transactions are insecure anyway
      unless you have end-to-end controls in place (which clearly you
      don't in this case if TPG is one end!)<br></p><p>In the end you should be able to exchange email with TPG without
      any encryption at all and it shouldn't affect your compliance,
      surely?! As you can't be held responsible for a third party system
      and shouldn't be dependent on its status for your compliance as a
      result.<br></p><p>Disclaimer: Have never tried to seek PCI compliance in any system
      i've operated. <br></p><p>Mark.<br></p><div><br></div>
<div>On 23/07/2018 7:03 PM, Paul Wilkins
      wrote:<br></div>
<blockquote type="cite" cite="mid:CAMmROTJOSw+CPn91xhXFEJ04YNjJQSYOKLOTd8MvcLO6X-uOAQ@mail.gmail.com"><div dir="ltr"><div>PCI spec is pretty clear you're to have separation
          (virtual/physical) between PCI and other environments.<br></div>
<div><br></div>
<div>OTOH, TPG SLA's do not require TLS1.0+.<br></div>
<div><br></div>
<div>Someone is going to have to sling for an external MTA.<br></div>
<div><br></div>
<div>Kind regards<br></div>
<div><br></div>
<div>Paul Wilkins<br></div>
</div>
<div><div><br></div>
<div defang_data-gmailquote="yes"><div>On 23 July 2018 at 16:01, Michael Junek <span dir="ltr"><<a href="mailto:michael@juneks.com.au">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:Calibri, Arial, Helvetica, sans-serif;"><p>Just being the 'mean security consultant'  - the
                security level of each system could easily be argued -
                email would be considered low security for compatibility
                (which technically means that TLS1.0/SSL3 etc is
                acceptable) ; whereas the web servers are considered
                high security handling CHD, which means that they should
                covered under the full encrypted spec. It would also
                mean if that was considered, that 2.2.1 would apply, and
                seperation of function would be required.<br></p><p><br></p><p><br></p><div style="color:rgb(33, 33, 33);"><div><hr style="display:inline-block;width:98%;"><br></div>
<div dir="ltr"><div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><b>From:</b> Bradley Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018 15:56<br> <b>To:</b> Michael Junek<br> <b>Cc:</b> Mark Newton; <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a> </span></span></span></div>
<div><div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><br><b>Subject:</b> Re: [AusNOG] Issues receiving
                        from TPG Mail servers.</span></span></span></div>
</div>
<div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"></span></span></span><br></div>
<div> <br></div>
</div>
<div><div><div><div dir="ltr"><div>@Michael - That's what we are
                        looking at doing, though it will be a pain. Not
                        sure how to go about doing it with Exim &
                        cPanel but will start looking into it. <br></div>
<div><br></div>
<div>Re 2.2.1, it won't fail if they have the
                          same security level, which is what we are
                          trying to accomplish by bringing TPG into
                          spec. DNS is on separate servers, and the
                          database connection isn't publicly accessible.<br></div>
<div><br></div>
<div>Really appreciate the help with this gents.
                          Hopefully TPG get back in touch with me else
                          we will have to investigate ways of blocking
                          TLS handshakes from TPG.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman | VentraIP
                                    Australia<br></div>
<div> <b>Technical Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3 9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On Mon, Jul 23, 2018 at
                          3:48 PM, Michael Junek <span dir="ltr"> <<a href="mailto:michael@juneks.com.au">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:Calibri, Arial, Helvetica, sans-serif;"><p>On the PCI Audit side of things,
                                however, I think the shared hosting such
                                as CPanel servers will fail PCI based on
                                requirement 2.2.1 regardless--<br></p><p><br></p><p>"<br></p><p>Implement only one primary function per
                                server to prevent functions that require
                                different security levels from
                                co-existing on the same server. (For
                                example, web servers, database servers,
                                and DNS should be implemented on
                                separate servers.)<br></p><p>"<br></p><p><br></p><p><br></p><p><br></p><p><br></p><div style="color:rgb(33, 33, 33);"><div><span><hr style="display:inline-block;width:98%;"></span><br></div>
<div dir="ltr"><div><span><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><b>From:</b> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.n<wbr>et</a>>
                                      on behalf of Bradley Silverman
                                      <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018
                                      15:40<br> <b>To:</b> Mark Newton<br> <b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br> <b>Subject:</b> Re: [AusNOG]
                                      Issues receiving from TPG Mail
                                      servers.</span></span></span> </span></div>
<div> <br></div>
</div>
<div><span></span><br></div>
<div><div><div><div dir="ltr"><div>@Michael - I agree
                                        that turning it off is the best
                                        way of solving it, the issue is
                                        we don't have the servers
                                        forcing TLS, that's TPG.<br></div>
<div> <br></div>
<div> @Mark - These are shared hosting
                                        servers, think cPanel &
                                        Plesk. The one server is both
                                        mail, and website. Which means
                                        that the server has websites
                                        that accept credit card
                                        payments, and therefore is
                                        subject to PCI. Any system that
                                        is on that server is required to
                                        comply with PCI. <br></div>
<div><br></div>
<div>If the server was website
                                          only, then I'd agree 100% that
                                          it would be out of scope for
                                          PCI, but since the same server
                                          runs both email and websites
                                          for shared hosting customers,
                                          it is in scope.<br></div>
<div><br></div>
<div>We have zero issue with any
                                          other MTA, it is only these
                                          TPG MTA's that are forcing
                                          both TLSv1.0 and an old
                                          cipher. If they either turned
                                          off TLS or upgraded to TLSv1.2
                                          they would be up to spec.<br></div>
<div><br></div>
<div>But we either have to make
                                          the decision to block TPG from
                                          being able to send to the
                                          100,000s of email accounts we
                                          have, or make it so that none
                                          of our customers servers are
                                          PCI compliant. I'd rather
                                          speak to TPG and work with
                                          them to fix the underlying
                                          problem.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman
                                                    | VentraIP Australia<br></div>
<div> <b>Technical
                                                      Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641
                                                    103<br></div>
<div> phone. +61 3 9013
                                                    8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On Mon,
                                          Jul 23, 2018 at 3:34 PM, Mark
                                          Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="word-wrap:break-word;line-break:after-white-space;"><div>But
                                              PCI Compliance only
                                              applies to the Cardholder
                                              Data Environment. <br></div>
<div><br></div>
<div>Why on earth would
                                                you have a mail server
                                                in the Cardholder Data
                                                Environment?<br></div>
<div><br></div>
<div>And if it isn’t in
                                                the CDE: You can run
                                                whatever version of TLS
                                                you want, and it’s none
                                                of PCI’s business.<br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)">  - mark</span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><div><div><br></div>
<div><div><br></div>
<div><div><br></div>
<blockquote type="cite"><div>On Jul 23,
                                                          2018, at 3:06
                                                          PM, Bradley
                                                          Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>>
                                                          wrote:<br></div>
<div><br></div>
<div><div dir="ltr"><div>Hi
                                                          Matt, <br></div>
<div><br></div>
<div><div>Really
                                                          appreciate you
                                                          sending me
                                                          that email, I
                                                          will
                                                          definitely
                                                          send an email
                                                          through to
                                                          there!<br></div>
<div> <br></div>
<div> @Mark
                                                          Certainly not!
                                                          PCI Compliance
                                                          requires that
                                                          TLSv1.0 be
                                                          disabled on
                                                          the server.
                                                          Postifx/Exim/Dovecot
                                                          are not
                                                          exception to
                                                          the rule, if
                                                          we disable
                                                          TLSv1.0 on the
                                                          server and
                                                          remove the
                                                          weak cipher,
                                                          then TPG's
                                                          MTAs aren't
                                                          able to send
                                                          mail to us.<br></div>
</div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
                                                          Silverman |
                                                          VentraIP
                                                          Australia<br></div>
<div> <b>Technical
                                                          Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
                                                          9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On
                                                          Mon, Jul 23,
                                                          2018 at 2:48
                                                          PM, Mark
                                                          Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="word-wrap:break-word;line-break:after-white-space;"><div>You’re
                                                          trying to
                                                          exchange
                                                          payment card
                                                          information
                                                          over email?<span><span class="colour" style="color:rgb(136, 136, 136)"> </span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><div><span><span class="colour" style="color:rgb(136, 136, 136)">  - mark<br> </span></span> </div>
<div><div><div><br></div>
<blockquote type="cite"><div><div><div>On Jul
                                                          23, 2018, at
                                                          1:30 PM,
                                                          Bradley
                                                          Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>>
                                                          wrote:<br></div>
<div><br></div>
</div>
</div>
<div><div><div><div dir="ltr"><div>Does
                                                          anyone have a
                                                          contact at TPG
                                                          regarding
                                                          their mail
                                                          servers?<br></div>
<div><br></div>
<div>We are
                                                          having issues
                                                          with their
                                                          mail servers
                                                          using non-PCI
                                                          compliant
                                                          ciphers which
                                                          is stopping
                                                          our servers
                                                          accepting mail
                                                          from them.<br></div>
<div><br></div>
<div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
                                                          Silverman |
                                                          VentraIP
                                                          Australia<br></div>
<div> <b>Technical
                                                          Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
                                                          9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><span>______________________________<wbr>_________________<br> AusNOG mailing
                                                          list<br> <a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a></span></div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div>______________________________<wbr>_________________<br></div>
<div> AusNOG mailing list<br></div>
<div> <a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div>
<div> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br></div>
<div> <br></div>
</blockquote></div>
<div><br></div>
</div>
<div><br></div>
<div><br></div>
<pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
<br></pre></blockquote><div><br></div>
<div><u>_______________________________________________</u><br></div>
<div>AusNOG mailing list<br></div>
<div><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div>
<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></div>
</blockquote><div><br></div>
</body>
</html>