SUMMARY

In order to achieve PCI compliance you may need to make various setting changes. This article will help you make those changes.

DETAIL

You may wish to prevent plain SMTP authentication if the client is not on a secure connection (SSL or TLS). Be careful when setting this value, as it will prevent users from sending email if they have not configured their email client to use SSL/TLS. Setting the option is done through the administration program. Expand the Servers->localhost->Services and Connectors branch, right click on the SMTP icon and select Properties from the popup menu. In the window that appears select the Inbound tab and click Settings... under Port Settings. For each port you listen on, you can select the option "Only allow secure authentication (using SSL or TLS)".

You need to restart the SMTP service after any change.

For webmail, by default the cookies are not required to be sent over SSL, so it will work if you have not configured SSL for the web mail site. If you have configured web mail to only be accessible over SSL you can help improve PCI compliance by forcing cookies to require SSL. This is done by editing the web.config file in the Mail Enable\bin\Netwebmail directory and adding the following line inside the <system.web> element.

<httpCookies requiresSSL="true" />

REFERENCES

Configuring extra SMTP ports with this option:

Article ME020571