• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Yet another PCI failure, Plesk 11/10/9/etc.

HostaHost

Regular Pleskian
Since Parallels is still bundling an ancient version of Courier IMAP (3.0.8), and that software has been End Of Life'd, we now cannot pass PCI on any version of Plesk:

Title: End of life software is not PCI compliant
Impact: Patches and security fixes are no longer available for your version of courier.
Risk Factor: Medium/ CVSS2 Base Score: 4.0
 
Courier IMAP has applied all latest security updates and PCI scanner report about old version is not really indicate that Courier in Plesk is vulnerable.
 
That's interesting since the author says its no longer supported. I guess what you're saying is "It's okay that our product fails PCI compliance because we know it's not really vulnerable." I'm sure the scanning companies will pass our customers' servers because a random forum post says it's okay.
 
Yes, we will update Courier to newest version, but current version is not vulnerable too.
 
Any update on this? Nearly all PCI scanning firms are now failing all versions of Plesk due to the Courier version being past its support lifetime. Can the Plesk version of Courier be overwritten with a later version safely?
 
Yer I second this
Got a client thats now failing PCI because of this. It's kind of annoying, and I'm frustrated at the lack of improvements in this area.
 
Still no updates to this, and Plesk 11 still uses the unsupported version, so the universal Parallels response of "upgrade" is not a solution in this case.

Can you please let the users of your product know if they can replace the Courier version with a later one and have it keep working if you will not be providing any support on this matter?
 
The solution we've adopted to alleviate this issue (as well as several others) was to run Dovecot as POP/IMAP proxy for the Plesk servers. Gives us great flexibility.
 
The solution we've adopted to alleviate this issue (as well as several others) was to run Dovecot as POP/IMAP proxy for the Plesk servers. Gives us great flexibility.

Can you front-end multiple servers? Like a domain to ip mapping? This might be just what we need.
 
imap 4.0
Title: End of life software is not PCI compliant Impact: Patches and security fixes
are no longer available for your version of courier.

any solution yet
 
Hi,

There is no changelog available for psa-courier-imap to show that this package has backported fixes to ensure PCI-Compliance.

We need one (or more) of the following as a matter of urgency :

A KB article that details the backported patches that go into psa-courier-imap that we can use as mitigation.
An updated rpm that details the backported patches that go into package.
A drop in binary that does not have a banner that telegraphs that its based on the old version (and one of the two things above so that we can trust you).

Paul.
 
Nearly all PCI scanning firms are now failing all versions of Plesk due to the Courier version being past its support lifetime.

Hello, Everyone. Thanks for reporting.

Could you, please, let us know which PCI scanners are reporting the issue to you?
Couple of ones would be enough for verifying. Thanks.
 
We need one (or more) of the following as a matter of urgency :

A KB article that details the backported patches that go into psa-courier-imap that we can use as mitigation.
An updated rpm that details the backported patches that go into package.
A drop in binary that does not have a banner that telegraphs that its based on the old version (and one of the two things above so that we can trust you).

Here you are. Patches and compiling options attached.

Plesk Service is working on the update that should silent PCI scanners. It's expected next week.
Also, as IgorG said above, Courier IMAP will be updated to 4.11 in further updates. ETA Q4'12.

--
 

Attachments

  • patches.tar.gz
    11.8 KB · Views: 9
  • configure_args.txt
    486 bytes · Views: 7
Last edited:
Hi Sergius,

SecurityMetrics are flagging Courier-Imap for us.

Also I don't think you meant to upload quips.txt ... unfortunately I can't read Russian so I didn't get most of the jokes.

Paul.

EDIT : But thanks for the speedy response its very much appreciated.
 
We're seeing the failures from SecurityMetrics, Trustwave and McAfee (randomly).

The patches, etc. for the old version don't help because they're failing for the fact that the version is end of life'd.

In case anyone in the thread finds it useful, we were able to successfully compile and overwrite Courier 3.0.8 on Plesk 8 and 9 servers with the latest version and it seemed to work fine; the Parallels authentication library still worked. We haven't tried it on a 10 or 11 server yet, and we haven't done this on any production server at this point in time because we have no idea if the authentication library does anything that might be version-specific and opening ourselves up for some vulnerability.

I asked if it was safe to do this back on Sept 10 but have not gotten an answer.
 
ETA for Fix?

When this update lands do we have to do anything to apply it or will Plesk automatically upgrade?
 
When this update lands do we have to do anything to apply it or will Plesk automatically upgrade?

The update will be applied automatically if Plesk AutoUpdate is on. Otherwise you should go to Plesk Updater and initiate installing.
 
I reported this via a Plesk support ticket in August and was advised the following:

I have logged into the server successfully. I could see that your Plesk version is Plesk 10.4.4 and the courier imap installed in the server is 'psa-courier-imap-3.0.8'.

-------
[root@server ~]# rpm -qa |grep courier
psa-courier-imap-3.0.8-cos6.build1013111101.14.x86_64
[root@server ~]#
[root@server ~]# cat /usr/local/psa/version
10.4.4 CentOS 6 1013111102.18
-------

Please note that the courier imap version present in your server is the one supplied with Plesk components and it is supported by the server. This wont cause any issues on the server.

Passing this response or similar for multiple PCI scans seem to appease SecutiryMetrics in each instance.
 
Back
Top