LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-15-2013, 11:31 AM   #1
CincinnatiKid
Member
 
Registered: Jul 2010
Posts: 454

Rep: Reputation: 47
Sendmail - Disable Clear Text Logins


Hello, I am a merchant that is required to be PCI compliant. In a recent security audit I was told that I could not allow unencrypted clear text logins to SMTP. I am running CentOS along with Sendmail. How can I configure this to only allow encrypted logins?
 
Old 02-15-2013, 09:38 PM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
SMTP is not for logins it is for mail traffic. Insist your auditor shows you in the PCI standard where each requirement comes from. Some security auditors make up the requirements and should be out of business.

If you're not using inbound mail traffic close the SMTP service. If you are then consider whether you need to use TLS with SMTP (not a PCI expert but I'd be a bit surprised if that's needed).
 
Old 02-18-2013, 11:48 AM   #3
CincinnatiKid
Member
 
Registered: Jul 2010
Posts: 454

Original Poster
Rep: Reputation: 47
The PHP contact form on my website uses the local SMTP server (localhost), I am guessing if I turn off SMTP, this would be broken right?
 
Old 02-18-2013, 01:04 PM   #4
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
Quote:
Originally Posted by CincinnatiKid View Post
The PHP contact form on my website uses the local SMTP server (localhost), I am guessing if I turn off SMTP, this would be broken right?
If you got the mail server to listen only on the localhost address it would still work for outbound mail but you would be unable to receive bounces for mailed mail. Traditional options are "sendmail -bt -q30m" but I like "sendmail -q30m" and using the sendmail binary for outbound mail.

In any case you should be able to convince an auditor SMTP is not for logins.
 
Old 02-21-2013, 03:27 PM   #5
CincinnatiKid
Member
 
Registered: Jul 2010
Posts: 454

Original Poster
Rep: Reputation: 47
I had the PCI compliance company rescan my server, and this time, they didn't find anything wrong, so I passed PCI compliance. Don't know why it tested for "cleartext smpt logins" before.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Using scponly To Allow SCP/SFTP Logins And Disable SSH Logins On Debian Squeeze LXer Syndicated Linux News 0 08-24-2011 05:20 AM
how to disable Text-to-speechmanager on startup, and disable fsck after 20 boots Kristian2 Slackware 2 02-25-2009 11:55 AM
How to disable multiple session/logins per user PPTP-server Zurvy Linux - Networking 1 10-18-2008 08:01 PM
Passwords sent in clear text? Synesthesia Linux - Security 4 08-19-2006 11:35 AM
clear or disable file cache acristescu Linux - General 3 11-04-2005 11:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration