Server PCI Compliance – Mail Server Plain Text Authentication

Top Web Design Trends of 2021
New Year, New Business You
Speaking as a Designer… 5 Tips for Designing Your Website

When running a PCI scan on your server you may receive a warning similar to the following:

Description: PCI DSS Compliance : Insecure Communication Has Been Detected Synopsis: An insecure port, protocol or service has been detected.

Impact: Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, he/she may be able to gain control of an application or even gain clear-text access to encrypted data.

Data Received: The SMTP server advertises the following SASL methods over an unencrypted channel :

All supported methods : PLAIN, LOGIN Cleartext methods : PLAIN, LOGIN

Resolution: Properly encrypt all authenticated and sensitive communications.

Risk Factor: Medium/ CVSS2 Base Score: 4.0

This is caused by your mail server allowing clients to log on with plain text passwords. There are two options to resolve this issue from WHM, both of which are really easy to do.

The first option is to turn the mail server off completely. If the site is large enough to be running on a VPS or dedicated server which needs PCI Compliance, it’s probable that you are using another solution for company email. Turning the mail server will save resources and may remove some other PCI fails.

To turn the server off, in WHM select Service Configuration > Mail Server Selection. From here you will be able to select your preferred mail server. Choose Disabled to turn off the mail server.

If the mail server is required, you can turn off Plain Text Auth in WHM from Service Configuration > Mail Server Configuration. From here you will see the option to  change Allow Plaintext Authentication. This should be No.