[AusNOG] Issues receiving from TPG Mail servers.

[Michael Junek]

Actually going through the pain of it all right now.
Fortunately our QSA is a little pragmatic about these things and isn't one of those checklisty type people - and would certainly offer suggestions about it, especially if there is a documented business reason why something cannot be enacted.

The easiest way around it is to disable TLS completely on your mail server. Won't fail PCI then. And everyone will send to you unencrypted. Doesn't fix the security issue, but it certainly fixes the mailflow.




________________________________________
From: Rob Thomas <xrobau at gmail.com>
Sent: Monday, 23 July 2018 15:27
To: Michael Junek
Cc: Bradley Silverman; Mark Newton; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

> But shouldn't your public mail server be out of scope for PCI?

Here. ladies and gentleman, is a nerd that has never encountered the
insanity and conflicting information that is PCI.  Be quiet, we don't
want to scare it.

In all seriousness, yes, they will fail you if you have anything
listening on a machine that accepts TLS1.0 connections.  Or maybe they
won't. You don't know until you pay the $5k for the audit. And if they
DO fail you, you have to fix it. So I'm guessing that is where Bradley
is now. His PCI auditors have said 'No TLS1.0 on this server', and
that's the end of the discussion.

You don't get to reason with these people. They are accountants that
run scripts and have a checklist.  Common sense does not enter into
the equation.

--Rob