How to turn off plain text

[mdudl...@gmail.com]

I am failing a PCI certification test because my newly installed sendmail on a FreeBSD system is giving me the following problem:

"The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty."

This is showing up on both port 25 and 587.

I have been searching for hours on how to turn off the plain text on sendmail, but have been unsuccessful.

Any assistance would be appreciated.

Thanks,

Marshall

[Martin Neitzel]

mdudl...@gmail.com wrote:
> I have been searching for hours on how to turn off the plain text on
> sendmail, but have been unsuccessful.

Didn't
cf/README, chapter STARTTLS, section Allowing Connections
work out for you?

Martin

[wfmak...@gmail.com]

Perhaps this excerpt from sendmail.mc will point you in the right direction.

dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Bill