Koozali.org: home of the SME Server

Setting SME up for PCI-DSS compliance

Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: Setting SME up for PCI-DSS compliance
« Reply #15 on: May 17, 2020, 05:43:07 AM »
As a follow up, and following chats on RocketChat, we have some updated defaults we think will pass PCI-DSS compliance.

Big hat tip to Catton for his work.

We'll look at posting this and updating some defaults.

Sounds good. I've been tied up for the last few months - found a work-around for the original system, but I can see it coming up more and more in the future. Not to mention that I'd like to be able to contribute to the development of SME 10. While I've got one system running Nethserver, which has a few attractive features, I find it too GUI oriented. I'm much more comfortable with SME and would like to see it get more up to date.

I'll have to find some time to come back to the Rocket chat....

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Setting SME up for PCI-DSS compliance
« Reply #16 on: May 17, 2020, 10:09:30 AM »
This came from our recent discussions.

https://wiki.contribs.org/SSL_Settings

There is a lot more discussed on Rocket.

SME 10 is simmering gently and we've done more on this for it.

Come and chat.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline warren

  • *
  • 291
  • +0/-0
Re: Setting SME up for PCI-DSS compliance
« Reply #17 on: May 17, 2020, 04:44:18 PM »
This came from our recent discussions.

https://wiki.contribs.org/SSL_Settings

There is a lot more discussed on Rocket.

SME 10 is simmering gently and we've done more on this for it.

Come and chat.

Made minor change on the wiki page : from below ( ldap slipped in onto lines 2-3 )

Quote
If we set modSSL overall we can then change the following per service:

config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

To :
Quote
If we set modSSL overall we can then change the following per service:

config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Setting SME up for PCI-DSS compliance
« Reply #18 on: May 17, 2020, 05:38:00 PM »
Ahh thanks!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Setting SME up for PCI-DSS compliance
« Reply #19 on: May 17, 2020, 05:41:28 PM »
(As you can see we have done some work on SSL, particularly for v10.... do come and join in the conversation on Rocket)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation