PCI Compliance

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

PCI Compliance

jonnytabpni
PCI Compliance

Hi Folks,

Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance? I literally need postfix to just pass through mail to our ISP's smtp server. We would then set outlook to use this local smtp proxy server.

I'm not entirly sure if a "relay" server is good here, as how would that handle bounced mail??

Thanks,

Jonathan

Reply | Threaded
Open this post in threaded view
|

Re: PCI Compliance

Barney Desmond
On 18 March 2010 21:57, Jonathan Tripathy <[hidden email]> wrote:
> Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance?
> I literally need postfix to just pass through mail to our ISP's smtp server.
> We would then set outlook to use this local smtp proxy server.

I work for a hosting company, we find it's usually an iterative
process. This particular question hasn't come up yet (for an SMTP
server), but it'd go something like this:

1. Customer needs certification for a contract, so they hire a company
to perform a PCI audit scan
2. The scan finds "problems", so they come to us with the report,
which says how to fix the problems
3. We read the report, and find things like "server exposes its
hostname in the greeting banner", or "server appears to allow the use
of the VRFY command".
4. We sigh, then go through the motions to "fix" the "problems".
Sometimes the problem descriptions are hopelessly vague, like "this
system /may/ be vulnerable to a known buffer overflow", and the system
is fully patched and up to date. Can't do much about these, so we tell
our customer to take it up with the auditor.
5. Rinse and repeat until all perceived problems are fixed, and/or the
customer stops hassling. :)

So, my apologies that this doesn't really answer your question. If you
need compliance certification then you'll need an audit anyway, at
which point you find out what the requirements are.

It's not trivial to simply look up the requirements, because...
PCI-DSS doesn't actually cover specific implementation details. It's
sufficiently vague (probably by design) so that'll it'll stay relevant
as time goes on, and so that current best practices are followed. Have
a look at the PCI spec, it's only half a meg in PDF:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Page 4 is a summary of what you really need to know. Page 6 mentions
segmentation to reduce the scope of what needs to comply - this is
your best bet (if feasible) to sidestep compliance for your mail
server. If you enjoy some light humour, we've elaborated on the
aforementioned process a little:
http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/

> I'm not entirly sure if a "relay" server is good here, as how would that
> handle bounced mail??

Indeed, you want to avoid more relays if you can, both for
administration and compliance reasons. Bounced mail isn't so bad, so
long as there's a return path to the sender's mailbox. A naive example
of how this might work:

Sending: outlook -> workstation -> PCI-compliant relay -> ISP's SMTP
server -> recipient
*it bounces because the recipient's mailbox is full*
Recipient -> MX lookup -> Your incoming SMTP server (maybe this is at
your ISP) -> The sender's mailbox -> Picked up by outlook
Reply | Threaded
Open this post in threaded view
|

Re: PCI Compliance

J. Roeleveld
On Thursday 18 March 2010 13:26:43 Barney Desmond wrote:
> On 18 March 2010 21:57, Jonathan Tripathy <[hidden email]> wrote:

<snipped>

> 3. We read the report, and find things like "server exposes its
> hostname in the greeting banner", or "server appears to allow the use
> of the VRFY command".

Does this mean that the service-desk of companies are not compliant either?

1) Check in phonebook for number of VISA credit card service desk
2) Call listed number

They then will answer with:
"Hello, thank you for calling VISA credit card service desk, <insert name>
speaking, how may I help you?"

Me: Hi, can you please direct me to <insert other name here>

How is this different from:

**
$ telnet mail.isp.com 25
Trying 10.1.4.50...
Connected to mail.isp.com.
Escape character is '^]'.
220 mailer.isp.com ESMTP Postfix
MAIL TO <user>
MAIL TO OK
**
I guessed the last 2 lines, but I think it shows what I mean? :)

--
Joost Roeleveld
Reply | Threaded
Open this post in threaded view
|

Re: PCI Compliance

Barney Desmond
On 18 March 2010 23:59, J. Roeleveld <[hidden email]> wrote:
> Does this mean that the service-desk of companies are not compliant either?

Hehe, in a way. Social engineering is thankfully(?) outside the scope
of PCI-DSS compliance.

> 1) Check in phonebook for number of VISA credit card service desk
> 2) Call listed number
>
> They then will answer with:
> "Hello, thank you for calling VISA credit card service desk, <insert name>
> speaking, how may I help you?"
>
> Me: Hi, can you please direct me to <insert other name here>
>
> How is this different from:
>
> **
> $ telnet mail.isp.com 25
> Trying 10.1.4.50...
> Connected to mail.isp.com.
> Escape character is '^]'.
> 220 mailer.isp.com ESMTP Postfix
> MAIL TO <user>
> MAIL TO OK
> **
> I guessed the last 2 lines, but I think it shows what I mean? :)

Exactly! Disabling VRFY gains nothing because you can test with RCPT
TO instead. There will always be some debate about the value of this
measure ("why not disable it if we can?" vs. "why *bother* if we don't
have to?) - just ignore it and do whatever has to be done, there are
better things to waste energy on.
Reply | Threaded
Open this post in threaded view
|

FW: PCI Compliance

jonnytabpni
In reply to this post by Barney Desmond
FW: PCI Compliance

> Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance?
> I literally need postfix to just pass through mail to our ISP's smtp server.
> We would then set outlook to use this local smtp proxy server.

I work for a hosting company, we find it's usually an iterative
process. This particular question hasn't come up yet (for an SMTP
server), but it'd go something like this:

1. Customer needs certification for a contract, so they hire a company
to perform a PCI audit scan
2. The scan finds "problems", so they come to us with the report,
which says how to fix the problems
3. We read the report, and find things like "server exposes its
hostname in the greeting banner", or "server appears to allow the use
of the VRFY command".
4. We sigh, then go through the motions to "fix" the "problems".
Sometimes the problem descriptions are hopelessly vague, like "this
system /may/ be vulnerable to a known buffer overflow", and the system
is fully patched and up to date. Can't do much about these, so we tell
our customer to take it up with the auditor.
5. Rinse and repeat until all perceived problems are fixed, and/or the
customer stops hassling. :)

So, my apologies that this doesn't really answer your question. If you
need compliance certification then you'll need an audit anyway, at
which point you find out what the requirements are.

It's not trivial to simply look up the requirements, because...
PCI-DSS doesn't actually cover specific implementation details. It's
sufficiently vague (probably by design) so that'll it'll stay relevant
as time goes on, and so that current best practices are followed. Have
a look at the PCI spec, it's only half a meg in PDF:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Page 4 is a summary of what you really need to know. Page 6 mentions
segmentation to reduce the scope of what needs to comply - this is
your best bet (if feasible) to sidestep compliance for your mail
server. If you enjoy some light humour, we've elaborated on the
aforementioned process a little:
http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/

> I'm not entirly sure if a "relay" server is good here, as how would that
> handle bounced mail??

Indeed, you want to avoid more relays if you can, both for
administration and compliance reasons. Bounced mail isn't so bad, so
long as there's a return path to the sender's mailbox. A naive example
of how this might work:

Sending: outlook -> workstation -> PCI-compliant relay -> ISP's SMTP
server -> recipient
*it bounces because the recipient's mailbox is full*
Recipient -> MX lookup -> Your incoming SMTP server (maybe this is at
your ISP) -> The sender's mailbox -> Picked up by outlook

------------------------------------------------------------------------

Thanks for the long reply, it's appreciated. But..

The network I am dealing with is very small and simple. I am aware about the PCI scans, and I have done some in the past. Thankfully, regarding this case, I only need an "SMTP Proxy" to be placed in the DMZ, as computers inside the CDE (Cardholder Data Environment) arn't allowed to connect to hosts on the internet.

LIterally, all I need to do, is place an HTTP proxy (Squid), an SMTP Proxy, and a POP3 Proxy in the DMZ, and that's me. Of course, block all ports into and out of the CDE, except allow CDE to connect to SMTP proxy, POP3 Proxy and Squid Proxy.

Now, of course, there are other things in the PCI DSS, such as policies and processes, however these are out of my scope, as I'm just an external I.T. guy.

BTW, the machines in the CDE will all have anti-virus and automatic updates enabled.

So, back to postfix, can it do such a thing? Act as a "proxy" and not a "store and forward relay"


Reply | Threaded
Open this post in threaded view
|

Re: FW: PCI Compliance

Reinaldo Gil Lima de Carvalho
On Thu, Mar 18, 2010 at 10:53 AM, Jonathan Tripathy <[hidden email]> wrote:
>
> BTW, the machines in the CDE will all have anti-virus and automatic updates
> enabled.
>
> So, back to postfix, can it do such a thing? Act as a "proxy" and not a
> "store and forward relay"
>
>
>

In theory you can to use 'smtpd_proxy_filter'.

http://www.postfix.org/postconf.5.html#smtpd_proxy_filter


--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)
Reply | Threaded
Open this post in threaded view
|

Re: FW: PCI Compliance

Mark Goodge
In reply to this post by jonnytabpni
On 18/03/2010 13:53, Jonathan Tripathy wrote:
>
> So, back to postfix, can it do such a thing? Act as a "proxy" and not a
> "store and forward relay"

In SMTP terms, a proxy is effectively the same thing as a
store-and-forward relay. But yes, Postfix will do this very well. For
inbound mail, you can set up a transport map so that all incoming mail
is forward to the "true" mail server inside the CDE. Use recipient
address verification to make sure that you don't become a backscatter
source, and it will do exactly what you want with minimal hassle. For
outbound mail, simply use the DMZ machine as a smarthost for any machine
inside the CDE (including your Exchange server if appropriate).

Mark
Reply | Threaded
Open this post in threaded view
|

Re: FW: PCI Compliance

Wietse Venema
In reply to this post by jonnytabpni
Jonathan Tripathy:
> So, back to postfix, can it do such a thing? Act as a "proxy" and
> not a "store and forward relay"

http://www.postfix.org/SMTPD_PROXY_README.html

Someone will still have to monitor the logfile, and deal with
"postmaster notification" email depending on how the notify_classes
parameter is configured.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: FW: PCI Compliance

Victor Duchovni
In reply to this post by Reinaldo Gil Lima de Carvalho
On Thu, Mar 18, 2010 at 11:00:14AM -0300, Reinaldo de Carvalho wrote:

> On Thu, Mar 18, 2010 at 10:53 AM, Jonathan Tripathy <[hidden email]> wrote:
> >
> > BTW, the machines in the CDE will all have anti-virus and automatic updates
> > enabled.
> >
> > So, back to postfix, can it do such a thing? Act as a "proxy" and not a
> > "store and forward relay"
> >
> >
> >
>
> In theory you can to use 'smtpd_proxy_filter'.
>
> http://www.postfix.org/postconf.5.html#smtpd_proxy_filter

It works in practice. A few Postfix TLS proxies have been terminating TLS
connections, making access control decisions and forwarding unencrypted
SMTP to a non-Postfix server for many years now.

These systems only run "smtpd" as a proxy, and use various internal
services, but otherwise there is no message processing. There is
no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
in and then they go out. Mail is never queued on the TLS proxy.

--
        Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.
Reply | Threaded
Open this post in threaded view
|

RE: FW: PCI Compliance

jonnytabpni
It works in practice. A few Postfix TLS proxies have been terminating TLS
connections, making access control decisions and forwarding unencrypted
SMTP to a non-Postfix server for many years now.

These systems only run "smtpd" as a proxy, and use various internal
services, but otherwise there is no message processing. There is
no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
in and then they go out. Mail is never queued on the TLS proxy.

----------------------------------------------------------------------

How does one configure postfix to act like this?


winmail.dat (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: PCI Compliance

Victor Duchovni
On Thu, Mar 18, 2010 at 04:14:31PM -0000, Jonathan Tripathy wrote:

> > It works in practice. A few Postfix TLS proxies have been terminating TLS
> > connections, making access control decisions and forwarding unencrypted
> > SMTP to a non-Postfix server for many years now.
> >
> > These systems only run "smtpd" as a proxy, and use various internal
> > services, but otherwise there is no message processing. There is
> > no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
> > in and then they go out. Mail is never queued on the TLS proxy.
>
> How does one configure postfix to act like this?

    http://www.postfix.org/SMTPD_PROXY_README.html

If this is not an MX host:

    main.cf:
    smtpd_proxy_filter = inet:[real-smtp-server]:real-port

        # Plus the usual "restrictions" settings and any (incoming) TLS
        # settings for the SMTP server. There is no support for outgoing
        # TLS in the SMTP server.
        #
        # ...

If the real server is missing various EHLO features, you should turn
them off also on the Postfix proxy (mostly DSN and 8BITMIME) and adjust
the message size limit to match the real server.

--
        Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.