For my merchant account they use Trustwave to do PCI scans on my website and I keep failing because I have port # 25 open. Now if I close this port, I pass the Trustwave PCI scan but then I can't receive any emails from anyone; which is not good! So I then have to open port 25 back up this way I can still receive emails.
I always thought that port # 25/465/587 (SMTP) were used to send emails; why when I block port # 25 I can't receive emails anymore? I thought I receive incoming emails through port # 143/993 (IMAP) or port # 110/995 (POP3)?
My server is currently running Plesk, CentOS, Postfix.
Is there a way I can change this so emails are not received through port # 25 this way I can block this port # again and pass my Trustwave PCI scan?
Policy Violation Port: tcp/25
The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.
CVSSv2: AV:A/AC:H/Au:N/C:C/I:C/A:N Service: postfix:postfix
Evidence: Details: Unencrypted authentication is allowed prior to TLS negotiation
Plaintext methods allowed: LOGIN,PLAIN
Remediation: Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.
I tested my SMTP server and this is the results I received:
SMTP -> FROM SERVER:
220 sever.ovh.net ESMTP Postfix
SMTP -> FROM SERVER:
250-server.ovh.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: info@domain.com
SMTP -> FROM SERVER: 250 2.1.0 Ok RCPT TO:
jsmith@gmail.com SMTP -> FROM SERVER:
554 5.7.1 : Relay access denied
SMTP -> ERROR: RCPT not accepted from server: 554 5.7.1 : Relay access denied
Thank you!