[AusNOG] Issues receiving from TPG Mail servers.

Mon Jul 23 17:03:15 EST 2018

PCI spec is pretty clear you're to have separation (virtual/physical)
between PCI and other environments.

OTOH, TPG SLA's do not require TLS1.0+.

Someone is going to have to sling for an external MTA.

Kind regards

Paul Wilkins

On 23 July 2018 at 16:01, Michael Junek <michael at juneks.com.au> wrote:

> Just being the 'mean security consultant'  - the security level of each
> system could easily be argued - email would be considered low security for
> compatibility (which technically means that TLS1.0/SSL3 etc is
> acceptable) ; whereas the web servers are considered high security handling
> CHD, which means that they should covered under the full encrypted spec. It
> would also mean if that was considered, that 2.2.1 would apply, and
> seperation of function would be required.
>
>
>
> ------------------------------
> *From:* Bradley Silverman <bsilverman at staff.ventraip.com>
> *Sent:* Monday, 23 July 2018 15:56
> *To:* Michael Junek
> *Cc:* Mark Newton; ausnog at lists.ausnog.net
>
> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.
>
> @Michael - That's what we are looking at doing, though it will be a pain.
> Not sure how to go about doing it with Exim & cPanel but will start looking
> into it.
>
> Re 2.2.1, it won't fail if they have the same security level, which is
> what we are trying to accomplish by bringing TPG into spec. DNS is on
> separate servers, and the database connection isn't publicly accessible.
>
> Really appreciate the help with this gents. Hopefully TPG get back in
> touch with me else we will have to investigate ways of blocking TLS
> handshakes from TPG.
>
> Regards,
>
> Bradley Silverman | VentraIP Australia
> *Technical Operations*
>
> mobile. +61 418 641 103
> phone. +61 3 9013 8464
>
> On Mon, Jul 23, 2018 at 3:48 PM, Michael Junek <michael at juneks.com.au>
> wrote:
>
>> On the PCI Audit side of things, however, I think the shared hosting such
>> as CPanel servers will fail PCI based on requirement 2.2.1 regardless--
>>
>>
>> "
>>
>> Implement only one primary function per server to prevent functions that
>> require different security levels from co-existing on the same server. (For
>> example, web servers, database servers, and DNS should be implemented on
>> separate servers.)
>>
>> "
>>
>>
>>
>>
>>
>> ------------------------------
>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Bradley
>> Silverman <bsilverman at staff.ventraip.com>
>> *Sent:* Monday, 23 July 2018 15:40
>> *To:* Mark Newton
>> *Cc:* ausnog at lists.ausnog.net
>> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.
>>
>> @Michael - I agree that turning it off is the best way of solving it, the
>> issue is we don't have the servers forcing TLS, that's TPG.
>>
>> @Mark - These are shared hosting servers, think cPanel & Plesk. The one
>> server is both mail, and website. Which means that the server has websites
>> that accept credit card payments, and therefore is subject to PCI. Any
>> system that is on that server is required to comply with PCI.
>>
>> If the server was website only, then I'd agree 100% that it would be out
>> of scope for PCI, but since the same server runs both email and websites
>> for shared hosting customers, it is in scope.
>>
>> We have zero issue with any other MTA, it is only these TPG MTA's that
>> are forcing both TLSv1.0 and an old cipher. If they either turned off TLS
>> or upgraded to TLSv1.2 they would be up to spec.
>>
>> But we either have to make the decision to block TPG from being able to
>> send to the 100,000s of email accounts we have, or make it so that none of
>> our customers servers are PCI compliant. I'd rather speak to TPG and work
>> with them to fix the underlying problem.
>>
>> Regards,
>>
>> Bradley Silverman | VentraIP Australia
>> *Technical Operations*
>>
>> mobile. +61 418 641 103
>> phone. +61 3 9013 8464
>>
>> On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton <newton at atdot.dotat.org>
>> wrote:
>>
>>> But PCI Compliance only applies to the Cardholder Data Environment.
>>>
>>> Why on earth would you have a mail server in the Cardholder Data
>>> Environment?
>>>
>>> And if it isn’t in the CDE: You can run whatever version of TLS you
>>> want, and it’s none of PCI’s business.
>>>
>>>   - mark
>>>
>>>
>>>
>>> On Jul 23, 2018, at 3:06 PM, Bradley Silverman <
>>> bsilverman at staff.ventraip.com> wrote:
>>>
>>> Hi Matt,
>>>
>>> Really appreciate you sending me that email, I will definitely send an
>>> email through to there!
>>>
>>> @Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on
>>> the server. Postifx/Exim/Dovecot are not exception to the rule, if we
>>> disable TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs
>>> aren't able to send mail to us.
>>>
>>> Regards,
>>>
>>> Bradley Silverman | VentraIP Australia
>>> *Technical Operations*
>>>
>>> mobile. +61 418 641 103
>>> phone. +61 3 9013 8464
>>>
>>> On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton <newton at atdot.dotat.org>
>>> wrote:
>>>
>>>> You’re trying to exchange payment card information over email?
>>>>
>>>>   - mark
>>>>
>>>> On Jul 23, 2018, at 1:30 PM, Bradley Silverman <
>>>> bsilverman at staff.ventraip.com> wrote:
>>>>
>>>> Does anyone have a contact at TPG regarding their mail servers?
>>>>
>>>> We are having issues with their mail servers using non-PCI compliant
>>>> ciphers which is stopping our servers accepting mail from them.
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Bradley Silverman | VentraIP Australia
>>>> *Technical Operations*
>>>>
>>>> mobile. +61 418 641 103
>>>> phone. +61 3 9013 8464
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>>
>>>
>>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180723/e2f025eb/attachment.html>