skip to Main Content

For my merchant account they use Trustwave to do PCI scans on my website and I keep failing because I have port # 25 open. Now if I close this port, I pass the Trustwave PCI scan but then I can’t receive any emails from anyone; which is not good! So I then have to open port 25 back up this way I can still receive emails.

I always thought that port # 25/465/587 (SMTP) were used to send emails; why when I block port # 25 I can’t receive emails anymore? I thought I receive incoming emails through port # 143/993 (IMAP) or port # 110/995 (POP3)?

My server is currently running Plesk, CentOS, Postfix.

Is there a way I can change this so emails are not received through port # 25 this way I can block this port # again and pass my Trustwave PCI scan?

Policy Violation
Port: tcp/25

The service running on this port appears
to make use of a plaintext (unencrypted) communication channel. The
PCI DSS forbids the use of such insecure services/protocols.
Unencrypted communication channels are vulnerable to the disclosure
and/or modification of any data transiting through them (including
usernames and passwords), and as such the confidentially and integrity
of the data in transit cannot be ensured with any level of certainty.

CVSSv2: AV:A/AC:H/Au:N/C:C/I:C/A:N
Service: postfix:postfix

Evidence:
Details: Unencrypted authentication is allowed prior to TLS
negotiation

Plaintext methods allowed: LOGIN,PLAIN

Remediation:
Transition to using more secure alternatives such as SSH instead of
Telnet and SFTP in favor of FTP, or consider wrapping less secure
services within more secure technologies by utilizing the benefits
offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to
management protocols/services to specific IP addresses (usually
accomplished via a "whitelist") whenever possible.

I tested my SMTP server and this is the results I received:

SMTP -> FROM SERVER:

220 sever.ovh.net ESMTP Postfix

SMTP -> FROM SERVER:

250-server.ovh.net

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-STARTTLS

250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM: [email protected]

SMTP -> FROM SERVER: 250 2.1.0 Ok RCPT TO:

[email protected] SMTP -> FROM SERVER:

554 5.7.1 : Relay access denied

SMTP -> ERROR: RCPT not accepted from server: 554 5.7.1 : Relay access denied

Thank you!

2

Answers


  1. Port 25 is the standard server-to-server mail port. It is how servers transmit mail to each other on the open internet. There is no way to change this.

    The others, 465 and 587 are submission ports for end-user clients to send mail, which will then be transmitted to other servers on port 25.

    POP3 and IMAP ports are for end users to retrieve mail.

    Re: your compliance report: 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 should not appear until after TLS has been established, using the STARTTLS command. Until then, it should not be there.

    Login or Signup to reply.
  2. Configure Postfix to not accept plaintext logins.

    Duplicate of https://serverfault.com/questions/389037/disable-smtp-auth-on-port-25 .

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search