1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Yet another PCI failure, Plesk 11/10/9/etc.

Discussion in 'Plesk 11.x for Linux' started by Hostasaurus.Com, Aug 17, 2012.

  1. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Since Parallels is still bundling an ancient version of Courier IMAP (3.0.8), and that software has been End Of Life'd, we now cannot pass PCI on any version of Plesk:

     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
    Courier IMAP has applied all latest security updates and PCI scanner report about old version is not really indicate that Courier in Plesk is vulnerable.
     
  3. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    That's interesting since the author says its no longer supported. I guess what you're saying is "It's okay that our product fails PCI compliance because we know it's not really vulnerable." I'm sure the scanning companies will pass our customers' servers because a random forum post says it's okay.
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
    Yes, we will update Courier to newest version, but current version is not vulnerable too.
     
  5. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Any update on this? Nearly all PCI scanning firms are now failing all versions of Plesk due to the Courier version being past its support lifetime. Can the Plesk version of Courier be overwritten with a later version safely?
     
  6. DanBriant

    DanBriant New Pleskian

    10
     
    Joined:
    Aug 13, 2012
    Messages:
    1
    Likes Received:
    0
    Yer I second this
    Got a client thats now failing PCI because of this. It's kind of annoying, and I'm frustrated at the lack of improvements in this area.
     
  7. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Still no updates to this, and Plesk 11 still uses the unsupported version, so the universal Parallels response of "upgrade" is not a solution in this case.

    Can you please let the users of your product know if they can replace the Courier version with a later one and have it keep working if you will not be providing any support on this matter?
     
  8. burnleyvic

    burnleyvic Regular Pleskian

    17
    85%
    Joined:
    Nov 9, 2011
    Messages:
    174
    Likes Received:
    1
    The solution we've adopted to alleviate this issue (as well as several others) was to run Dovecot as POP/IMAP proxy for the Plesk servers. Gives us great flexibility.
     
  9. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Can you front-end multiple servers? Like a domain to ip mapping? This might be just what we need.
     
  10. burnleyvic

    burnleyvic Regular Pleskian

    17
    85%
    Joined:
    Nov 9, 2011
    Messages:
    174
    Likes Received:
    1
  11. ollybee

    ollybee New Pleskian

    11
     
    Joined:
    Jun 1, 2012
    Messages:
    13
    Likes Received:
    0
    imap 4.0
    Title: End of life software is not PCI compliant Impact: Patches and security fixes
    are no longer available for your version of courier.

    any solution yet
     
  12. paulieG

    paulieG Regular Pleskian

    25
     
    Joined:
    Mar 5, 2009
    Messages:
    164
    Likes Received:
    0
    Location:
    Lancaster
    Hi,

    There is no changelog available for psa-courier-imap to show that this package has backported fixes to ensure PCI-Compliance.

    We need one (or more) of the following as a matter of urgency :

    A KB article that details the backported patches that go into psa-courier-imap that we can use as mitigation.
    An updated rpm that details the backported patches that go into package.
    A drop in binary that does not have a banner that telegraphs that its based on the old version (and one of the two things above so that we can trust you).

    Paul.
     
  13. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Hello, Everyone. Thanks for reporting.

    Could you, please, let us know which PCI scanners are reporting the issue to you?
    Couple of ones would be enough for verifying. Thanks.
     
  14. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Here you are. Patches and compiling options attached.

    Plesk Service is working on the update that should silent PCI scanners. It's expected next week.
    Also, as IgorG said above, Courier IMAP will be updated to 4.11 in further updates. ETA Q4'12.

    --
     

    Attached Files:

    Last edited: Oct 6, 2012
  15. paulieG

    paulieG Regular Pleskian

    25
     
    Joined:
    Mar 5, 2009
    Messages:
    164
    Likes Received:
    0
    Location:
    Lancaster
    Hi Sergius,

    SecurityMetrics are flagging Courier-Imap for us.

    Also I don't think you meant to upload quips.txt ... unfortunately I can't read Russian so I didn't get most of the jokes.

    Paul.

    EDIT : But thanks for the speedy response its very much appreciated.
     
  16. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    We're seeing the failures from SecurityMetrics, Trustwave and McAfee (randomly).

    The patches, etc. for the old version don't help because they're failing for the fact that the version is end of life'd.

    In case anyone in the thread finds it useful, we were able to successfully compile and overwrite Courier 3.0.8 on Plesk 8 and 9 servers with the latest version and it seemed to work fine; the Parallels authentication library still worked. We haven't tried it on a 10 or 11 server yet, and we haven't done this on any production server at this point in time because we have no idea if the authentication library does anything that might be version-specific and opening ourselves up for some vulnerability.

    I asked if it was safe to do this back on Sept 10 but have not gotten an answer.
     
  17. DonSTN

    DonSTN New Pleskian

    10
    85%
    Joined:
    Jun 26, 2012
    Messages:
    17
    Likes Received:
    0
    ETA for Fix?

    When this update lands do we have to do anything to apply it or will Plesk automatically upgrade?
     
  18. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Hello, paulieG, Hostasaurus.Com. Thank you so much.
     
  19. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    The update will be applied automatically if Plesk AutoUpdate is on. Otherwise you should go to Plesk Updater and initiate installing.
     
  20. ukOliverS

    ukOliverS New Pleskian

    10
     
    Joined:
    Oct 6, 2012
    Messages:
    3
    Likes Received:
    0
    I reported this via a Plesk support ticket in August and was advised the following:

    Passing this response or similar for multiple PCI scans seem to appease SecutiryMetrics in each instance.
     
Loading...