[AusNOG] Issues receiving from TPG Mail servers.

Bradley Silverman bsilverman at staff.ventraip.com
Mon Jul 23 15:40:48 EST 2018 

@Michael - I agree that turning it off is the best way of solving it, the
issue is we don't have the servers forcing TLS, that's TPG.

@Mark - These are shared hosting servers, think cPanel & Plesk. The one
server is both mail, and website. Which means that the server has websites
that accept credit card payments, and therefore is subject to PCI. Any
system that is on that server is required to comply with PCI.

If the server was website only, then I'd agree 100% that it would be out of
scope for PCI, but since the same server runs both email and websites for
shared hosting customers, it is in scope.

We have zero issue with any other MTA, it is only these TPG MTA's that are
forcing both TLSv1.0 and an old cipher. If they either turned off TLS or
upgraded to TLSv1.2 they would be up to spec.

But we either have to make the decision to block TPG from being able to
send to the 100,000s of email accounts we have, or make it so that none of
our customers servers are PCI compliant. I'd rather speak to TPG and work
with them to fix the underlying problem.

Regards,

Bradley Silverman | VentraIP Australia
*Technical Operations*

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton <newton at atdot.dotat.org> wrote:

> But PCI Compliance only applies to the Cardholder Data Environment.
>
> Why on earth would you have a mail server in the Cardholder Data
> Environment?
>
> And if it isn’t in the CDE: You can run whatever version of TLS you want,
> and it’s none of PCI’s business.
>
>   - mark
>
>
>
> On Jul 23, 2018, at 3:06 PM, Bradley Silverman <
> bsilverman at staff.ventraip.com> wrote:
>
> Hi Matt,
>
> Really appreciate you sending me that email, I will definitely send an
> email through to there!
>
> @Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on
> the server. Postifx/Exim/Dovecot are not exception to the rule, if we
> disable TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs
> aren't able to send mail to us.
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
>
> On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton <newton at atdot.dotat.org>
> wrote:
>
>> You’re trying to exchange payment card information over email?
>>
>>   - mark
>>
>> On Jul 23, 2018, at 1:30 PM, Bradley Silverman <
>> bsilverman at staff.ventraip.com> wrote:
>>
>> Does anyone have a contact at TPG regarding their mail servers?
>>
>> We are having issues with their mail servers using non-PCI compliant
>> ciphers which is stopping our servers accepting mail from them.
>>
>>
>> Regards,
>>
>> Bradley Silverman | VentraIP Australia
>> *Technical Operations*
>>
>> mobile. +61 418 641 103
>> phone. +61 3 9013 8464
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180723/1f6425a2/attachment.html>

More information about the AusNOG mailing list