[AusNOG] Issues receiving from TPG Mail servers.

James Hodgkinson yaleman at ricetek.net
Mon Jul 23 19:34:23 EST 2018 

I think we all need to step back a bit, let OP do what his auditor feels
is right, then thank him on behalf of EFF’s StartTLSEverywhere
project... [1]
;)

James

[1] https://starttls-everywhere.org


On Mon, 23 Jul 2018, at 18:21, Mark Foster wrote:
> Maybe i've missed something. Email is valid to shift around in plain
> text. TLS 1.0 might not be acceptable if you're talking minimum
> encryption standards, but I agree with the posters that point out that
> the Payment Card environment should have no dependencies on any email
> exchange with third parties.  This sounds to me like a box-ticking
> exercise where the right action on the public internet is to generally
> support the lowest common denominator unless it's insecure to do so -
> and in the case of email, you have to assume all transactions are
> insecure anyway unless you have end-to-end controls in place (which
> clearly you don't in this case if TPG is one end!)> In the end you should be able to exchange email with TPG without any
> encryption at all and it shouldn't affect your compliance, surely?! As
> you can't be held responsible for a third party system and shouldn't
> be dependent on its status for your compliance as a result.> Disclaimer: Have never tried to seek PCI compliance in any system i've
> operated.> Mark.


> 
> On 23/07/2018 7:03 PM, Paul Wilkins wrote:
>> PCI spec is pretty clear you're to have separation (virtual/physical)
>> between PCI and other environments.>> 
>> OTOH, TPG SLA's do not require TLS1.0+.
>> 
>> Someone is going to have to sling for an external MTA.
>> 
>> Kind regards
>> 
>> Paul Wilkins
>> 
>> On 23 July 2018 at 16:01, Michael Junek
>> <michael at juneks.com.au> wrote:>> 
>>> Just being the 'mean security consultant'  - the security level of
>>> each system could easily be argued - email would be considered low
>>> security for compatibility (which technically means that TLS1.0/SSL3
>>> etc is acceptable) ; whereas the web servers are considered high
>>> security handling CHD, which means that they should covered under
>>> the full encrypted spec. It would also mean if that was considered,
>>> that 2.2.1 would apply, and seperation of function would be
>>> required.>>> 


>>> 


>>> 
>>> *From:* Bradley Silverman <bsilverman at staff.ventraip.com> *Sent:*
>>> Monday, 23 July 2018 15:56 *To:* Michael Junek *Cc:* Mark Newton;
>>> ausnog at lists.ausnog.net>>>
>>> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.>>> 
>>>  
>>> @Michael - That's what we are looking at doing, though it will be a
>>> pain. Not sure how to go about doing it with Exim & cPanel but will
>>> start looking into it.>>> 
>>> Re 2.2.1, it won't fail if they have the same security level, which
>>> is what we are trying to accomplish by bringing TPG into spec. DNS
>>> is on separate servers, and the database connection isn't publicly
>>> accessible.>>> 
>>> Really appreciate the help with this gents. Hopefully TPG get back
>>> in touch with me else we will have to investigate ways of blocking
>>> TLS handshakes from TPG.>>> 
>>> Regards, 
>>> 
>>> Bradley Silverman | VentraIP Australia
>>> *Technical Operations*
>>> 
>>>  mobile. +61 418 641 103
>>>  phone. +61 3 9013 8464
>>> 
>>> On Mon, Jul 23, 2018 at 3:48 PM, Michael Junek
>>> <michael at juneks.com.au> wrote:>>> 
>>>> On the PCI Audit side of things, however, I think the shared
>>>> hosting such as CPanel servers will fail PCI based on requirement
>>>> 2.2.1 regardless-->>>> 


>>>> "


>>>> Implement only one primary function per server to prevent functions
>>>> that require different security levels from co-existing on the same
>>>> server. (For example, web servers, database servers, and DNS should
>>>> be implemented on separate servers.)>>>> "


>>>> 


>>>> 


>>>> 


>>>> 


>>>> 
>>>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of
>>>> Bradley Silverman <bsilverman at staff.ventraip.com> *Sent:* Monday,
>>>> 23 July 2018 15:40 *To:* Mark Newton *Cc:* ausnog at lists.ausnog.net
>>>> *Subject:* Re: [AusNOG] Issues receiving from TPG Mail servers.>>>>  
>>>> 
>>>> @Michael - I agree that turning it off is the best way of solving
>>>> it, the issue is we don't have the servers forcing TLS, that's TPG.>>>> 
>>>>  @Mark - These are shared hosting servers, think cPanel & Plesk.
>>>>  The one server is both mail, and website. Which means that the
>>>>  server has websites that accept credit card payments, and
>>>>  therefore is subject to PCI. Any system that is on that server is
>>>>  required to comply with PCI.>>>> 
>>>> If the server was website only, then I'd agree 100% that it would
>>>> be out of scope for PCI, but since the same server runs both email
>>>> and websites for shared hosting customers, it is in scope.>>>> 
>>>> We have zero issue with any other MTA, it is only these TPG MTA's
>>>> that are forcing both TLSv1.0 and an old cipher. If they either
>>>> turned off TLS or upgraded to TLSv1.2 they would be up to spec.>>>> 
>>>> But we either have to make the decision to block TPG from being
>>>> able to send to the 100,000s of email accounts we have, or make it
>>>> so that none of our customers servers are PCI compliant. I'd rather
>>>> speak to TPG and work with them to fix the underlying problem.>>>> 
>>>> Regards, 
>>>> 
>>>> Bradley Silverman | VentraIP Australia
>>>> *Technical Operations*
>>>> 
>>>>  mobile. +61 418 641 103
>>>>  phone. +61 3 9013 8464
>>>> 
>>>> On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton
>>>> <newton at atdot.dotat.org> wrote:>>>> 
>>>>> But PCI Compliance only applies to the Cardholder Data
>>>>> Environment.>>>>> 
>>>>> Why on earth would you have a mail server in the Cardholder Data
>>>>> Environment?>>>>> 
>>>>> And if it isn’t in the CDE: You can run whatever version of TLS
>>>>> you want, and it’s none of PCI’s business.>>>>> 
>>>>> 
>>>>>   - mark
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jul 23, 2018, at 3:06 PM, Bradley Silverman
>>>>>> <bsilverman at staff.ventraip.com> wrote:>>>>>> 
>>>>>> Hi Matt, 
>>>>>> 
>>>>>> Really appreciate you sending me that email, I will definitely
>>>>>> send an email through to there!>>>>>> 
>>>>>>  @Mark Certainly not! PCI Compliance requires that TLSv1.0 be
>>>>>>  disabled on the server. Postifx/Exim/Dovecot are not exception
>>>>>>  to the rule, if we disable TLSv1.0 on the server and remove the
>>>>>>  weak cipher, then TPG's MTAs aren't able to send mail to us.>>>>>> 
>>>>>> Regards, 
>>>>>> 
>>>>>> Bradley Silverman | VentraIP Australia
>>>>>> *Technical Operations*
>>>>>> 
>>>>>>  mobile. +61 418 641 103
>>>>>>  phone. +61 3 9013 8464
>>>>>> 
>>>>>> On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton
>>>>>> <newton at atdot.dotat.org> wrote:>>>>>> 
>>>>>>> You’re trying to exchange payment card information over email?>>>>>>> 
>>>>>>> 
>>>>>>>   - mark
>>>>>>> 
>>>>>>>> On Jul 23, 2018, at 1:30 PM, Bradley Silverman
>>>>>>>> <bsilverman at staff.ventraip.com> wrote:>>>>>>>> 
>>>>>>>> Does anyone have a contact at TPG regarding their mail servers?>>>>>>>> 
>>>>>>>> We are having issues with their mail servers using non-PCI
>>>>>>>> compliant ciphers which is stopping our servers accepting mail
>>>>>>>> from them.>>>>>>>> 
>>>>>>>> 
>>>>>>>> Regards, 
>>>>>>>> 
>>>>>>>> Bradley Silverman | VentraIP Australia
>>>>>>>> *Technical Operations*
>>>>>>>> 
>>>>>>>>  mobile. +61 418 641 103
>>>>>>>>  phone. +61 3 9013 8464
>>>>>>>> _______________________________________________
>>>>>>>>  AusNOG mailing list AusNOG at lists.ausnog.net
>>>>>>>>  http://lists.ausnog.net/mailman/listinfo/ausnog>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>>> 
>>> _______________________________________________
>>>  AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>> 
>> 
>> 
>>
>> _______________________________________________ AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>> 
> _________________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180723/7a36529a/attachment.html>

More information about the AusNOG mailing list