<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div>I think we all need to step back a bit, let OP do what his auditor feels is right, then thank him on behalf of EFF’s StartTLSEverywhere project... [1]<br></div>
<div><br></div>
<div>;)</div>
<div><br></div>
<div>James<br></div>
<div><br></div>
<div>[1] <a href="https://starttls-everywhere.org">https://starttls-everywhere.org</a><br></div>
<div><br></div>
<div><br></div>
<div>On Mon, 23 Jul 2018, at 18:21, Mark Foster wrote:<br></div>
<blockquote type="cite"><p>Maybe i've missed something. Email is valid to shift around in
plain text. TLS 1.0 might not be acceptable if you're talking
minimum encryption standards, but I agree with the posters that
point out that the Payment Card environment should have no
dependencies on any email exchange with third parties. This
sounds to me like a box-ticking exercise where the right action on
the public internet is to generally support the lowest common
denominator unless it's insecure to do so - and in the case of
email, you have to assume all transactions are insecure anyway
unless you have end-to-end controls in place (which clearly you
don't in this case if TPG is one end!)<br></p><p>In the end you should be able to exchange email with TPG without
any encryption at all and it shouldn't affect your compliance,
surely?! As you can't be held responsible for a third party system
and shouldn't be dependent on its status for your compliance as a
result.<br></p><p>Disclaimer: Have never tried to seek PCI compliance in any system
i've operated. <br></p><p>Mark.<br></p><div><br></div>
<div>On 23/07/2018 7:03 PM, Paul Wilkins
wrote:<br></div>
<blockquote type="cite" cite="mid:CAMmROTJOSw+CPn91xhXFEJ04YNjJQSYOKLOTd8MvcLO6X-uOAQ@mail.gmail.com"><div dir="ltr"><div>PCI spec is pretty clear you're to have separation
(virtual/physical) between PCI and other environments.<br></div>
<div><br></div>
<div>OTOH, TPG SLA's do not require TLS1.0+.<br></div>
<div><br></div>
<div>Someone is going to have to sling for an external MTA.<br></div>
<div><br></div>
<div>Kind regards<br></div>
<div><br></div>
<div>Paul Wilkins<br></div>
</div>
<div><div><br></div>
<div defang_data-gmailquote="yes"><div>On 23 July 2018 at 16:01, Michael Junek <span dir="ltr"><<a href="mailto:michael@juneks.com.au">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:Calibri, Arial, Helvetica, sans-serif;"><p>Just being the 'mean security consultant' - the
security level of each system could easily be argued -
email would be considered low security for compatibility
(which technically means that TLS1.0/SSL3 etc is
acceptable) ; whereas the web servers are considered
high security handling CHD, which means that they should
covered under the full encrypted spec. It would also
mean if that was considered, that 2.2.1 would apply, and
seperation of function would be required.<br></p><p><br></p><p><br></p><div style="color:rgb(33, 33, 33);"><div><hr style="display:inline-block;width:98%;"><br></div>
<div dir="ltr"><div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><b>From:</b> Bradley Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018 15:56<br> <b>To:</b> Michael Junek<br> <b>Cc:</b> Mark Newton; <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a> </span></span></span></div>
<div><div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><br><b>Subject:</b> Re: [AusNOG] Issues receiving
from TPG Mail servers.</span></span></span></div>
</div>
<div><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"></span></span></span><br></div>
<div> <br></div>
</div>
<div><div><div><div dir="ltr"><div>@Michael - That's what we are
looking at doing, though it will be a pain. Not
sure how to go about doing it with Exim &
cPanel but will start looking into it. <br></div>
<div><br></div>
<div>Re 2.2.1, it won't fail if they have the
same security level, which is what we are
trying to accomplish by bringing TPG into
spec. DNS is on separate servers, and the
database connection isn't publicly accessible.<br></div>
<div><br></div>
<div>Really appreciate the help with this gents.
Hopefully TPG get back in touch with me else
we will have to investigate ways of blocking
TLS handshakes from TPG.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman | VentraIP
Australia<br></div>
<div> <b>Technical Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3 9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On Mon, Jul 23, 2018 at
3:48 PM, Michael Junek <span dir="ltr"> <<a href="mailto:michael@juneks.com.au">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:Calibri, Arial, Helvetica, sans-serif;"><p>On the PCI Audit side of things,
however, I think the shared hosting such
as CPanel servers will fail PCI based on
requirement 2.2.1 regardless--<br></p><p><br></p><p>"<br></p><p>Implement only one primary function per
server to prevent functions that require
different security levels from
co-existing on the same server. (For
example, web servers, database servers,
and DNS should be implemented on
separate servers.)<br></p><p>"<br></p><p><br></p><p><br></p><p><br></p><p><br></p><div style="color:rgb(33, 33, 33);"><div><span><hr style="display:inline-block;width:98%;"></span><br></div>
<div dir="ltr"><div><span><span class="colour" style="color:rgb(0, 0, 0)"><span class="font" style="font-family:Calibri, " sans-serif""><span class="size" style="font-size:11pt"><b>From:</b> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.n<wbr>et</a>>
on behalf of Bradley Silverman
<<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018
15:40<br> <b>To:</b> Mark Newton<br> <b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br> <b>Subject:</b> Re: [AusNOG]
Issues receiving from TPG Mail
servers.</span></span></span> </span></div>
<div> <br></div>
</div>
<div><span></span><br></div>
<div><div><div><div dir="ltr"><div>@Michael - I agree
that turning it off is the best
way of solving it, the issue is
we don't have the servers
forcing TLS, that's TPG.<br></div>
<div> <br></div>
<div> @Mark - These are shared hosting
servers, think cPanel &
Plesk. The one server is both
mail, and website. Which means
that the server has websites
that accept credit card
payments, and therefore is
subject to PCI. Any system that
is on that server is required to
comply with PCI. <br></div>
<div><br></div>
<div>If the server was website
only, then I'd agree 100% that
it would be out of scope for
PCI, but since the same server
runs both email and websites
for shared hosting customers,
it is in scope.<br></div>
<div><br></div>
<div>We have zero issue with any
other MTA, it is only these
TPG MTA's that are forcing
both TLSv1.0 and an old
cipher. If they either turned
off TLS or upgraded to TLSv1.2
they would be up to spec.<br></div>
<div><br></div>
<div>But we either have to make
the decision to block TPG from
being able to send to the
100,000s of email accounts we
have, or make it so that none
of our customers servers are
PCI compliant. I'd rather
speak to TPG and work with
them to fix the underlying
problem.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman
| VentraIP Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641
103<br></div>
<div> phone. +61 3 9013
8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On Mon,
Jul 23, 2018 at 3:34 PM, Mark
Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="word-wrap:break-word;line-break:after-white-space;"><div>But
PCI Compliance only
applies to the Cardholder
Data Environment. <br></div>
<div><br></div>
<div>Why on earth would
you have a mail server
in the Cardholder Data
Environment?<br></div>
<div><br></div>
<div>And if it isn’t in
the CDE: You can run
whatever version of TLS
you want, and it’s none
of PCI’s business.<br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"> - mark</span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><div><div><br></div>
<div><div><br></div>
<div><div><br></div>
<blockquote type="cite"><div>On Jul 23,
2018, at 3:06
PM, Bradley
Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>>
wrote:<br></div>
<div><br></div>
<div><div dir="ltr"><div>Hi
Matt, <br></div>
<div><br></div>
<div><div>Really
appreciate you
sending me
that email, I
will
definitely
send an email
through to
there!<br></div>
<div> <br></div>
<div> @Mark
Certainly not!
PCI Compliance
requires that
TLSv1.0 be
disabled on
the server.
Postifx/Exim/Dovecot
are not
exception to
the rule, if
we disable
TLSv1.0 on the
server and
remove the
weak cipher,
then TPG's
MTAs aren't
able to send
mail to us.<br></div>
</div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
Silverman |
VentraIP
Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div>On
Mon, Jul 23,
2018 at 2:48
PM, Mark
Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="word-wrap:break-word;line-break:after-white-space;"><div>You’re
trying to
exchange
payment card
information
over email?<span><span class="colour" style="color:rgb(136, 136, 136)"> </span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)"></span></span><br></div>
<div><div><span><span class="colour" style="color:rgb(136, 136, 136)"> - mark<br> </span></span> </div>
<div><div><div><br></div>
<blockquote type="cite"><div><div><div>On Jul
23, 2018, at
1:30 PM,
Bradley
Silverman <<a href="mailto:bsilverman@staff.ventraip.com">bsilverman@staff.ventraip.com</a><wbr>>
wrote:<br></div>
<div><br></div>
</div>
</div>
<div><div><div><div dir="ltr"><div>Does
anyone have a
contact at TPG
regarding
their mail
servers?<br></div>
<div><br></div>
<div>We are
having issues
with their
mail servers
using non-PCI
compliant
ciphers which
is stopping
our servers
accepting mail
from them.<br></div>
<div><br></div>
<div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
Silverman |
VentraIP
Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><span>______________________________<wbr>_________________<br> AusNOG mailing
list<br> <a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a></span></div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div>______________________________<wbr>_________________<br></div>
<div> AusNOG mailing list<br></div>
<div> <a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div>
<div> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br></div>
<div> <br></div>
</blockquote></div>
<div><br></div>
</div>
<div><br></div>
<div><br></div>
<pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
<br></pre></blockquote><div><br></div>
<div><u>_______________________________________________</u><br></div>
<div>AusNOG mailing list<br></div>
<div><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div>
<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></div>
</blockquote><div><br></div>
</body>
</html>