[AusNOG] Issues receiving from TPG Mail servers.
Bradley Silverman
bsilverman at staff.ventraip.com
Mon Jul 23 15:31:24 EST 2018
It's sort of makes sense that they won't allow it.
Users, regardless of best case, rarely have that many passwords, they
generally reuse the same one.
If you allow weak encryption on your SMTP then when connections are made
the password can be stolen and then often that password can be used to
access other things.
As this is a shared hosting environment it's quite possible that a customer
has the same password for email and cPanel or their website, and that's why
it's part of PCI.
>From what I know of PCI, anything on that server, that is accessible
publicly, needs to be up to spec.
Regards,
Bradley Silverman | VentraIP Australia
*Technical Operations*
mobile. +61 418 641 103
phone. +61 3 9013 8464
On Mon, Jul 23, 2018 at 3:27 PM, Rob Thomas <xrobau at gmail.com> wrote:
> > But shouldn't your public mail server be out of scope for PCI?
>
> Here. ladies and gentleman, is a nerd that has never encountered the
> insanity and conflicting information that is PCI. Be quiet, we don't
> want to scare it.
>
> In all seriousness, yes, they will fail you if you have anything
> listening on a machine that accepts TLS1.0 connections. Or maybe they
> won't. You don't know until you pay the $5k for the audit. And if they
> DO fail you, you have to fix it. So I'm guessing that is where Bradley
> is now. His PCI auditors have said 'No TLS1.0 on this server', and
> that's the end of the discussion.
>
> You don't get to reason with these people. They are accountants that
> run scripts and have a checklist. Common sense does not enter into
> the equation.
>
> --Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180723/c690adf8/attachment.html>
More information about the AusNOG
mailing list