-1

For my merchant account they use Trustwave to do PCI scans on my website and I keep failing because I have port # 25 open. Now if I close this port, I pass the Trustwave PCI scan but then I can't receive any emails from anyone; which is not good! So I then have to open port 25 back up this way I can still receive emails.

I always thought that port # 25/465/587 (SMTP) were used to send emails; why when I block port # 25 I can't receive emails anymore? I thought I receive incoming emails through port # 143/993 (IMAP) or port # 110/995 (POP3)?

My server is currently running Plesk, CentOS, Postfix.

Is there a way I can change this so emails are not received through port # 25 this way I can block this port # again and pass my Trustwave PCI scan?

Policy Violation Port: tcp/25

The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

CVSSv2: AV:A/AC:H/Au:N/C:C/I:C/A:N Service: postfix:postfix

Evidence: Details: Unencrypted authentication is allowed prior to TLS negotiation

Plaintext methods allowed: LOGIN,PLAIN

Remediation: Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.

I tested my SMTP server and this is the results I received:

SMTP -> FROM SERVER:

220 sever.ovh.net ESMTP Postfix

SMTP -> FROM SERVER:

250-server.ovh.net

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-STARTTLS

250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM: info@domain.com

SMTP -> FROM SERVER: 250 2.1.0 Ok RCPT TO:

jsmith@gmail.com SMTP -> FROM SERVER:

554 5.7.1 : Relay access denied

SMTP -> ERROR: RCPT not accepted from server: 554 5.7.1 : Relay access denied

Thank you!

Community
  • 1
  • 1
olimits7
  • 555
  • 2
  • 9
  • 26
  • It's not possible to receive emails on a port other than 25. See [this question](http://serverfault.com/q/216959/17420) for more information. – legoscia Mar 12 '15 at 14:57
  • Hi, thanks for the link! I still can't wrap my head around receiving emails on port 25. I thought port 25 is used to only send out emails from my server. And when I try to Google search for an article talking about "receiving emails on port 25" I don't find anything. All page just talk about sending emails on port 25. Do you know of a link that I can look at that talks about how port 25 is used to receive emails too? – olimits7 Mar 12 '15 at 15:16
  • When one mail server sends mail to another, they use the receiver's port 25. If your server sends mail to someone it uses that server's port 25, when someone else sends mail to your server it uses your port 25. If you want to change that, you have to talk to anyone who expects to use port 25. – arnt Mar 12 '15 at 16:58

2 Answers2

4

Port 25 is the standard server-to-server mail port. It is how servers transmit mail to each other on the open internet. There is no way to change this.

The others, 465 and 587 are submission ports for end-user clients to send mail, which will then be transmitted to other servers on port 25.

POP3 and IMAP ports are for end users to retrieve mail.

Re: your compliance report: 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 should not appear until after TLS has been established, using the STARTTLS command. Until then, it should not be there.

Max
  • 10,701
  • 2
  • 24
  • 48
  • Ok, thank you for this explanation this makes more sense to me! – olimits7 Mar 12 '15 at 15:27
  • Please see block quote I added above that I received in my Trustwave report. I just don't know how I can fix this; if I close port # 25 I don't receive any emails. If I leave port # 25 open I fail the Trustwave PCI scan. Any thoughts of what I can do to resolve this issue? – olimits7 Mar 12 '15 at 15:33
  • If you accept authentication on port 25, you should require STARTTLS before authenticating. This should be configurable in your server. – Max Mar 12 '15 at 16:31
  • Ok, thank you...do you think by doing this it would fix the **Unencrypted authentication is allowed prior to TLS negotiation** fail I keep receiving from Trustwave PCI scan? – olimits7 Mar 12 '15 at 17:01
  • Ok, ty...I'll let my server admin see this and see if he is able to fix this issue. – olimits7 Mar 12 '15 at 17:56
  • Please see my original post above - I just tried testing my SMTP server and it looks like STARTTLS is already listed but I still fail the Trustwave PCI scan...any thoughts? – olimits7 Mar 12 '15 at 19:24
  • Yes but does it also say auth *before* starttls is negotiated? It does, and that's why you're failing. It should not allow auth until starttls has been used. – Max Mar 12 '15 at 23:44
  • Ok, thank you...based on my SMTP server response above how should this show up as to show that STARTTLS has been used first? I just want to see an example of what the proper way this should look like. – olimits7 Mar 12 '15 at 23:49
0

Configure Postfix to not accept plaintext logins.

Duplicate of https://serverfault.com/questions/389037/disable-smtp-auth-on-port-25 .

Community
  • 1
  • 1
Jan Kundrát
  • 3,700
  • 1
  • 18
  • 29