0

I'm working on an Ubuntu server hosting multiple websites for one company. Trying to get one of the domains to be PCI compliant, but it's failing on port 25 (SMTP) because the SSL certificate hostname doesn't match.

Each domain hosted on the server has its own valid SSL certificate, or some share multi-domain certificates. The PCI scan validates the SSL certificate on port 443.

The mail server is Postfix, and the main.cf config uses a valid wildcard SSL certificate that is used for the "main" domain of the company. The domain I'm trying to validate for PCI is another domain.

I don't really understand how this could be set up to use a SSL certificate on port 25 which will be valid for any domain hosted on this server that needs to pass PCI. This is slightly outside my areas of knowledge at the moment.

TL;DR

www.pci.domain - The domain I'm trying to make PCI compliant (not actual name obviously).

  • Has its own valid certificate /etc/apache2/ssl/certs/other.domain.crt
  • Incoming mail goes to Microsoft Outlook via DNS: MX 10 pci.domain.mail.protection (not sure if this is relevant).

www.other.domain - The company's "main" domain.

  • Has its own valid wildcard certificate /etc/apache2/ssl/certs/other.domain.wildcard.crt

Postfix uses the certificate of other.domain at the moment, which is obviously not valid for pci.domain or any other domains when the PCI scan tries to verify that port 25 is secure for those other domains.

BadHorsie
  • 137
  • 2
  • 10
  • Why is incoming mail being handled in your cardholder data environment? Move that mail server somewhere else. – Michael Hampton Dec 21 '18 at 17:29
  • @MichaelHampton I don't know, that's just how it is currently set up. Incoming mail is routed to Microsoft's Outlook server. Can you elaborate? I don't understand mail particularly well, I have never set up SMTP. – BadHorsie Dec 21 '18 at 17:32
  • Why is there a Postfix mail server running on this machine accepting incoming mail to begin with, if the mail is supposed to be going to O365? And if the machine is supposed to be handling cardholder data. – Michael Hampton Dec 21 '18 at 17:35
  • @MichaelHampton I'm not sure, maybe used for server admin mailboxes or something? To clarify, the mailboxes associated with the website(s) are at Outlook. I mean, even if the server needs its own mail server, is this not PCI compliant? If I stop Postfix, the SSL scan will just say the server does not have SSL/TLS encryption on port 25. – BadHorsie Dec 21 '18 at 17:40
  • If you stop Postfix, there won't be anything listening on port 25, which is what I would expect to see. You need to go find out why there is a mail server running on this machine accepting incoming mail before you go further. – Michael Hampton Dec 21 '18 at 17:46
  • @MichaelHampton So it's not being used for anything really as far as I can see. Not being used for any email, which is all being handled by Outlook. I still don't understand how I am supposed to pass the PCI compliance scan which is looking at port 25 security though. What if the server needs to send outgoing mail itself? Are you saying that no PCI compliant websites send mail from the same host machine? – BadHorsie Dec 21 '18 at 17:57
  • If it isn't accepting incoming mail and isn't meant to, then reconfigure it to listen only on localhost (the default) and send only. – Michael Hampton Dec 21 '18 at 18:00
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/87371/discussion-between-badhorsie-and-michael-hampton). – BadHorsie Dec 21 '18 at 18:03
  • First off all , check which process is listening on port 25, using: netstat -tulpn | grep 25 If postfix is running, it could look like: tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 12629/postscreen Killing postfix should remove this line in the output of netstat. If not...!?!? – Ingvar J Dec 27 '18 at 13:36
  • Next, your question regarding multiple domains running (mail) in one server needing PCI compliancy. The fqdn of the mail server, as exposed via smtpd, does NOT need to be in the same domain as the recipient mailboxes. The FQDN of the mailserver MUST match the DNS MX record for the domain it is configured to handle. – Ingvar J Dec 27 '18 at 13:37
  • The SSL cert configured for the postfix host, must match the FQDN and MX name. To test your postfix servers fqdn reply, run: telnet localhost 25 The reply should be something like Escape character is '^]'. 220 mymailserver.domain.com ESMTP Postfix Check in the /etc/postfix/main.cf for: smtpd_tls_cert_file for the location of the active certficate To verify which certificate is published, use: openssl s_client -showcerts -connect localhost:25 -starttls smtp – Ingvar J Dec 27 '18 at 13:37
  • @IngvarJ Thank you. If I stop Postfix the PCI scan now passes. However, I don't feel that solves the root issue. The mail server FQDN is **example.com** and is also configured to use that domain's wildcard certificate **\*.example.com**. The MX record is **10 example.com, 32767 ms81020967.msv1.invalid**. So is there an issue with the wildcard certificate being **\*.example.com** not **example.com**, or with the MX record? The cert should have a SAN for **example.com** without the wildcard part. – BadHorsie Jan 02 '19 at 12:32
  • You can use external site https://mxtoolbox.com to verify DNS settings and mail server behaviour. Then you can use https://www.checktls.com/ to verify how your mailserver responds and the certificates validity. Just enter the domain name (the mailserver is configured to handle in the MX record) – Ingvar J Jan 02 '19 at 14:08
  • the later test will verify if the wildcard cert is valid for the fqdn used by the host. It is a simple way to verify. Some wildcard certs include both "*.example.com" and " example.com" – Ingvar J Jan 02 '19 at 14:15

0 Answers0