[BlueOnyx:27259] Re: Disabling plain text login for Postfix

[Chris Gebhardt - VIRTBIZ Internet]

On 9/24/2024 3:43 PM, Michael Stauber via Blueonyx wrote:
> Hi Chris,
>
>> Working with a customer on a 5210R box, they've had a PCI scan fail 
>> due to allowing plaintext authentication over port 25.    No matter 
>> that they don't process credit cards over port 25... anyhow....
>
> If they know what IP the PCI scan is from they should just block that 
> one and be done with it. :p

Oh I know.   That's extremely effective.   Trouble is, this is a new (to 
me) provider and apparently you book a scan, and then it happens over 
the course of 5 days, so it's difficult to detect where it's coming from.

Still working to determine if I can get the IP(s) they'd be sourced from.


>> Is there a recommended method for disabling plaintext authentication 
>> in Postfix (or Dovecot if Postfix is using Dovecot's auth?)
>
> Offhand I don't recall if our automatic config generation for Postfix 
> will reset any custom changes you make to that end in 
> /etc/postfix/main.cf
>
> So it would be best to edit this file instead, which is run last 
> whenever Postfix is restarted and it allows you to override the 
> configuration:
>
> /usr/sausalito/bin/custom-postfix-confgen.sh
>
> Changes made to that file will persist through BlueOnyx YUM updates, 
> so they won't get lost.

Perfect!  That's just what I needed!

And yes, these PCI scanning dumps are awful and don't make any sense at 
all.   They even ding the customer for daring to filter TCP 3306 and 
instruct to disable IDS or IPS to allow scanning without 
interference.    Uh.... first off, that's stupid.  Second, the server 
simply doesn't allow remote MySQL by policy.  So.... stick it.    But of 
course you can't just say that because the customer wants to retain 
their merchant account, so we play the game.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ