<div dir="ltr">Hi Mark,<div><br></div><div>Exim has two types of receiving:<br>Authenticated Mail</div><div>Un-authenticated mail.</div><div><br></div><div>The difference is that when using the server for Authenticated mail, the user must supply valid credentials in order to send mail through it. This is what you would use for a mail client, such as Outlook. The connecting server (unless it is an open relay) requires that you provide details in order to send mail through it, and then that server will forward it on to the next server.</div><div>If you do this, and that server is used for payments and the like, the then you must comply with PCI. In a cPanel environment, where mail and hosting are on the same server, this isn't optional if we wish to tell customers that the servers there data is on is PCI compliant.</div><div><br></div><div>Un-authenticated mail, however, doesn't require credentials in order to accept mail, however, unless that server is relay, it also won't pass that mail on. It would only accept mail from a server if the mailbox was actually on it. So when a sending MTA sends mail to us, our server will accept it if the email account is on that server.</div><div>This <i>doesn't</i> require authentication and thus no username or password are supplied. As such encryption isn't required because there are no details to steal, unless as someone pointed out, you're silly enough to send credit card details via email.</div><div><br></div><div>I appreciate everyone's help, and I do understand where you are all coming from. But I assure you:<br>- Both mail and web hosting will almost always be on the same server in a shared hosting environment.</div><div>- If the same server is both hosting websites that have credit card details, and having a mail program such as Exim, then Exim must comply with PCI.</div><div>- If you do plan on having both on the same server, the server must comply with the minimum highest spec to qualify (since there is web hosting that requires high levels of encryption, the mail also requires it, where as if the mail server was by itself you could use a lesser encryption.</div><div><br></div><div>Please don't think I am not thankful for all your help, I just wanted to make it clear what we've been told and what I understand from my own research.</div><div><br></div><div>You are all right that in a perfect world they would be on totally seperate servers, but for shared hosting this is almost always not going to be the case!</div><div><br></div><div>Thanks again guys!</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Regards,<div><br></div><div>Bradley Silverman | VentraIP Australia<br><b>Technical Operations</b><br><br>mobile. +61 418 641 103<br>phone. +61 3 9013 8464<br></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Jul 23, 2018 at 7:34 PM, James Hodgkinson <span dir="ltr"><<a href="mailto:yaleman@ricetek.net" target="_blank">yaleman@ricetek.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><div>I think we all need to step back a bit, let OP do what his auditor feels is right, then thank him on behalf of EFF’s StartTLSEverywhere project... [1]<br></div>
<div><br></div>
<div>;)</div>
<div><br></div>
<div>James<br></div>
<div><br></div>
<div>[1] <a href="https://starttls-everywhere.org" target="_blank">https://starttls-<wbr>everywhere.org</a><br></div><div><div class="h5">
<div><br></div>
<div><br></div>
<div>On Mon, 23 Jul 2018, at 18:21, Mark Foster wrote:<br></div>
<blockquote type="cite"><p>Maybe i've missed something. Email is valid to shift around in
plain text. TLS 1.0 might not be acceptable if you're talking
minimum encryption standards, but I agree with the posters that
point out that the Payment Card environment should have no
dependencies on any email exchange with third parties. This
sounds to me like a box-ticking exercise where the right action on
the public internet is to generally support the lowest common
denominator unless it's insecure to do so - and in the case of
email, you have to assume all transactions are insecure anyway
unless you have end-to-end controls in place (which clearly you
don't in this case if TPG is one end!)<br></p><p>In the end you should be able to exchange email with TPG without
any encryption at all and it shouldn't affect your compliance,
surely?! As you can't be held responsible for a third party system
and shouldn't be dependent on its status for your compliance as a
result.<br></p><p>Disclaimer: Have never tried to seek PCI compliance in any system
i've operated. <br></p><p>Mark.<br></p><div><br></div>
<div>On 23/07/2018 7:03 PM, Paul Wilkins
wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>PCI spec is pretty clear you're to have separation
(virtual/physical) between PCI and other environments.<br></div>
<div><br></div>
<div>OTOH, TPG SLA's do not require TLS1.0+.<br></div>
<div><br></div>
<div>Someone is going to have to sling for an external MTA.<br></div>
<div><br></div>
<div>Kind regards<br></div>
<div><br></div>
<div>Paul Wilkins<br></div>
</div>
<div><div><br></div>
<div><div>On 23 July 2018 at 16:01, Michael Junek <span dir="ltr"><<a href="mailto:michael@juneks.com.au" target="_blank">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif"><p>Just being the 'mean security consultant' - the
security level of each system could easily be argued -
email would be considered low security for compatibility
(which technically means that TLS1.0/SSL3 etc is
acceptable) ; whereas the web servers are considered
high security handling CHD, which means that they should
covered under the full encrypted spec. It would also
mean if that was considered, that 2.2.1 would apply, and
seperation of function would be required.<br></p><p><br></p><p><br></p><div style="color:rgb(33,33,33)"><div><hr style="display:inline-block;width:98%"><br></div>
<div dir="ltr"><div><span class="m_-366350208884071625colour" style="color:rgb(0,0,0)"><span class="m_-366350208884071625font" style="font-family:Calibri," sans-serif""><span class="m_-366350208884071625size" style="font-size:11pt"><b>From:</b> Bradley Silverman <<a href="mailto:bsilverman@staff.ventraip.com" target="_blank">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018 15:56<br> <b>To:</b> Michael Junek<br> <b>Cc:</b> Mark Newton; <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a> </span></span></span></div>
<div><div><span class="m_-366350208884071625colour" style="color:rgb(0,0,0)"><span class="m_-366350208884071625font" style="font-family:Calibri," sans-serif""><span class="m_-366350208884071625size" style="font-size:11pt"><br><b>Subject:</b> Re: [AusNOG] Issues receiving
from TPG Mail servers.</span></span></span></div>
</div>
<div><span class="m_-366350208884071625colour" style="color:rgb(0,0,0)"><span class="m_-366350208884071625font" style="font-family:Calibri," sans-serif""><span class="m_-366350208884071625size" style="font-size:11pt"></span></span></span><br></div>
<div> <br></div>
</div>
<div><div><div><div dir="ltr"><div>@Michael - That's what we are
looking at doing, though it will be a pain. Not
sure how to go about doing it with Exim &
cPanel but will start looking into it. <br></div>
<div><br></div>
<div>Re 2.2.1, it won't fail if they have the
same security level, which is what we are
trying to accomplish by bringing TPG into
spec. DNS is on separate servers, and the
database connection isn't publicly accessible.<br></div>
<div><br></div>
<div>Really appreciate the help with this gents.
Hopefully TPG get back in touch with me else
we will have to investigate ways of blocking
TLS handshakes from TPG.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman | VentraIP
Australia<br></div>
<div> <b>Technical Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3 9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div><div>On Mon, Jul 23, 2018 at
3:48 PM, Michael Junek <span dir="ltr"> <<a href="mailto:michael@juneks.com.au" target="_blank">michael@juneks.com.au</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif"><p>On the PCI Audit side of things,
however, I think the shared hosting such
as CPanel servers will fail PCI based on
requirement 2.2.1 regardless--<br></p><p><br></p><p>"<br></p><p>Implement only one primary function per
server to prevent functions that require
different security levels from
co-existing on the same server. (For
example, web servers, database servers,
and DNS should be implemented on
separate servers.)<br></p><p>"<br></p><p><br></p><p><br></p><p><br></p><p><br></p><div style="color:rgb(33,33,33)"><div><span><hr style="display:inline-block;width:98%"></span><br></div>
<div dir="ltr"><div><span><span class="m_-366350208884071625colour" style="color:rgb(0,0,0)"><span class="m_-366350208884071625font" style="font-family:Calibri," sans-serif""><span class="m_-366350208884071625size" style="font-size:11pt"><b>From:</b> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.n<wbr>et</a>>
on behalf of Bradley Silverman
<<a href="mailto:bsilverman@staff.ventraip.com" target="_blank">bsilverman@staff.ventraip.com</a><wbr>><br> <b>Sent:</b> Monday, 23 July 2018
15:40<br> <b>To:</b> Mark Newton<br> <b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br> <b>Subject:</b> Re: [AusNOG]
Issues receiving from TPG Mail
servers.</span></span></span> </span></div>
<div> <br></div>
</div>
<div><span></span><br></div>
<div><div><div><div dir="ltr"><div>@Michael - I agree
that turning it off is the best
way of solving it, the issue is
we don't have the servers
forcing TLS, that's TPG.<br></div>
<div> <br></div>
<div> @Mark - These are shared hosting
servers, think cPanel &
Plesk. The one server is both
mail, and website. Which means
that the server has websites
that accept credit card
payments, and therefore is
subject to PCI. Any system that
is on that server is required to
comply with PCI. <br></div>
<div><br></div>
<div>If the server was website
only, then I'd agree 100% that
it would be out of scope for
PCI, but since the same server
runs both email and websites
for shared hosting customers,
it is in scope.<br></div>
<div><br></div>
<div>We have zero issue with any
other MTA, it is only these
TPG MTA's that are forcing
both TLSv1.0 and an old
cipher. If they either turned
off TLS or upgraded to TLSv1.2
they would be up to spec.<br></div>
<div><br></div>
<div>But we either have to make
the decision to block TPG from
being able to send to the
100,000s of email accounts we
have, or make it so that none
of our customers servers are
PCI compliant. I'd rather
speak to TPG and work with
them to fix the underlying
problem.<br></div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley Silverman
| VentraIP Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641
103<br></div>
<div> phone. +61 3 9013
8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div><div>On Mon,
Jul 23, 2018 at 3:34 PM, Mark
Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div>But
PCI Compliance only
applies to the Cardholder
Data Environment. <br></div>
<div><br></div>
<div>Why on earth would
you have a mail server
in the Cardholder Data
Environment?<br></div>
<div><br></div>
<div>And if it isn’t in
the CDE: You can run
whatever version of TLS
you want, and it’s none
of PCI’s business.<br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"></span></span><br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"></span></span><br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"> - mark</span></span><br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"></span></span><br></div>
<div><div><div><br></div>
<div><div><br></div>
<div><div><br></div>
<blockquote type="cite"><div>On Jul 23,
2018, at 3:06
PM, Bradley
Silverman <<a href="mailto:bsilverman@staff.ventraip.com" target="_blank">bsilverman@staff.ventraip.com</a><wbr>>
wrote:<br></div>
<div><br></div>
<div><div dir="ltr"><div>Hi
Matt, <br></div>
<div><br></div>
<div><div>Really
appreciate you
sending me
that email, I
will
definitely
send an email
through to
there!<br></div>
<div> <br></div>
<div> @Mark
Certainly not!
PCI Compliance
requires that
TLSv1.0 be
disabled on
the server.
Postifx/Exim/Dovecot
are not
exception to
the rule, if
we disable
TLSv1.0 on the
server and
remove the
weak cipher,
then TPG's
MTAs aren't
able to send
mail to us.<br></div>
</div>
</div>
<div><div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
Silverman |
VentraIP
Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div><div>On
Mon, Jul 23,
2018 at 2:48
PM, Mark
Newton <span dir="ltr"> <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>></span> wrote:<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div>You’re
trying to
exchange
payment card
information
over email?<span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"> </span></span><br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"></span></span><br></div>
<div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"></span></span><br></div>
<div><div><span><span class="m_-366350208884071625colour" style="color:rgb(136,136,136)"> - mark<br> </span></span> </div>
<div><div><div><br></div>
<blockquote type="cite"><div><div><div>On Jul
23, 2018, at
1:30 PM,
Bradley
Silverman <<a href="mailto:bsilverman@staff.ventraip.com" target="_blank">bsilverman@staff.ventraip.com</a><wbr>>
wrote:<br></div>
<div><br></div>
</div>
</div>
<div><div><div><div dir="ltr"><div>Does
anyone have a
contact at TPG
regarding
their mail
servers?<br></div>
<div><br></div>
<div>We are
having issues
with their
mail servers
using non-PCI
compliant
ciphers which
is stopping
our servers
accepting mail
from them.<br></div>
<div><br></div>
<div><br></div>
<div><div><div dir="ltr"><div><div dir="ltr"><div>Regards, <br></div>
<div><br></div>
<div><div>Bradley
Silverman |
VentraIP
Australia<br></div>
<div> <b>Technical
Operations</b><br></div>
<div> <br></div>
<div> mobile. +61 418 641 103<br></div>
<div> phone. +61 3
9013 8464<br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><span>______________________________<wbr>_________________<br> AusNOG mailing
list<br> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a></span></div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<div>______________________________<wbr>_________________<br></div>
<div> AusNOG mailing list<br></div>
<div> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br></div>
<div> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a><br></div>
<div> <br></div>
</blockquote></div>
<div><br></div>
</div>
<div><br></div>
<div><br></div>
<pre>______________________________<wbr>_________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a>
<br></pre></blockquote><div><br></div>
<div><u>______________________________<wbr>_________________</u><br></div>
<div>AusNOG mailing list<br></div>
<div><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br></div>
<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br></div>
</blockquote><div><br></div>
</div></div></div>
<br>______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>