Jul 1, 2013

Configure Postfix and Dovecot SSL Settings For PCI Compliance

Yes, this is yet another post on my Linux email server that I am using to get off of Google's teat, and of course avoid the NSA's PRISM program.

As a part of setting up my email server I wanted to lock it down well enough that it would pass a Payment Card Industry (PCI) security scan from a PCI authorized auditor like Comodo's Hacker Guardian. My reasoning is that if I can pass a scan that banks and credit card companies use to evaluate their security against hackers, that it's probably the best one can do against the NSA.

I am very familiar with locking down regular websites. After all, it's a part of what I do for my day job. I've even written about how to configure SSL on Apache for PCI compliance, as well as Windows 2008R2 and Windows 2003.

Will with my email server, I also had to configure SSL encryption for SMTP and IMAP using Postfix and Dovecot respectively. It took a while because I didn't see a lot of documentation online on how to do it, but I finally figured it out.

For Postfix (/etc/postfix/main.cf), use these settings for SSL/TLS:

smtpd_tls_cert_file = /etc/path/to/public.crt
smtpd_tls_key_file = 
/etc/path/to/private.key
smtpd_tls_CAfile = 
/etc/path/to/ca-bundle.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, 3DES, MD5, AES
smtpd_sasl_security_options = noplaintext

For Dovecot (/etc/dovecot/dovecot.conf) use these settings for SSL/TLS:
ssl = required
verbose_ssl = no
ssl_cert = <
/etc/path/to/public.crt
ssl_key = <
/etc/path/to/private.key
ssl_ca = <
/etc/path/to/ca-bundle.crt
ssl_cipher_list = HIGH:+TLSv1:+SSLv3:!LOW:!SSLv2:!EXP:!aNULL
That's it! After I made those settings I was able to pass my PCI scan from Hacker Guardian:


That's not the only thing you have to worry about of course. You have to do stuff like hide your PHP version, and Apache version as well, but the SSL stuff is usually the hardest to deal with in PCI.

Did this help you out? If so, let us know in the comments.
Enhanced by Zemanta



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam