For my merchant account they use Trustwave to do PCI scans on my website and I keep failing because I have port # 25 open. Now if I close this port, I pass the Trustwave PCI scan but then I can’t receive any emails from anyone; which is not good! So I then have to open port 25 back up this way I can still receive emails.
I always thought that port # 25/465/587 (SMTP) were used to send emails; why when I block port # 25 I can’t receive emails anymore? I thought I receive incoming emails through port # 143/993 (IMAP) or port # 110/995 (POP3)?
My server is currently running Plesk, CentOS, Postfix.
Is there a way I can change this so emails are not received through port # 25 this way I can block this port # again and pass my Trustwave PCI scan?
Policy Violation
Port: tcp/25The service running on this port appears
to make use of a plaintext (unencrypted) communication channel. The
PCI DSS forbids the use of such insecure services/protocols.
Unencrypted communication channels are vulnerable to the disclosure
and/or modification of any data transiting through them (including
usernames and passwords), and as such the confidentially and integrity
of the data in transit cannot be ensured with any level of certainty.CVSSv2: AV:A/AC:H/Au:N/C:C/I:C/A:N
Service: postfix:postfixEvidence:
Details: Unencrypted authentication is allowed prior to TLS
negotiationPlaintext methods allowed: LOGIN,PLAIN
Remediation:
Transition to using more secure alternatives such as SSH instead of
Telnet and SFTP in favor of FTP, or consider wrapping less secure
services within more secure technologies by utilizing the benefits
offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to
management protocols/services to specific IP addresses (usually
accomplished via a "whitelist") whenever possible.
I tested my SMTP server and this is the results I received:
SMTP -> FROM SERVER:
220 sever.ovh.net ESMTP Postfix
SMTP -> FROM SERVER:
250-server.ovh.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: [email protected]
SMTP -> FROM SERVER: 250 2.1.0 Ok RCPT TO:
[email protected] SMTP -> FROM SERVER:
554 5.7.1 : Relay access denied
SMTP -> ERROR: RCPT not accepted from server: 554 5.7.1 : Relay access denied
Thank you!
2
Answers
Port 25 is the standard server-to-server mail port. It is how servers transmit mail to each other on the open internet. There is no way to change this.
The others, 465 and 587 are submission ports for end-user clients to send mail, which will then be transmitted to other servers on port 25.
POP3 and IMAP ports are for end users to retrieve mail.
Re: your compliance report:
250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
should not appear until after TLS has been established, using the STARTTLS command. Until then, it should not be there.Configure Postfix to not accept plaintext logins.
Duplicate of https://serverfault.com/questions/389037/disable-smtp-auth-on-port-25 .