PCI DSS Compliance
Payment Card Industry Data Security Standard (PCI DSSPayment Card Industry Data Security Standard - A set of security standards for organizations to securely process and store data of credit cards.) is a proprietary security standard required by some banks in order to allow the company to process and store data about credit cards and payments.
To be in compliance with PCI DSS, some 3rd party security companies can verify the compliance. Usually, they run Nessus scanner and report any potential vulnerabilities or insecure issues.
The administrator can configure Kerio Connect to use supported cipher suits to ensure PCI DSS compliance. For more information refer to Configuring SSL/TLS in Kerio Connect.
Kerio Connect and PCI
NOTE
Always upgrade to the latest version of Kerio Connect for the best security!
If you run Kerio Connect and have difficulties to be granted the compliance, try the following:
The list of known incompatibilities
Vulnerability to the TLS CBC attack
Solution: In Kerio Connect 8.0.0 and newer, set the SSLDontInsertEmptyFragments
configuration value to 0
in the mailserver.cfg
configuration file.
Users with Kerio Outlook Connector (Offline edition) 8.0.2 and older on Windows XP systems may not be able to connect to the server or synchronize the data.
Vulnerability to the SSL BEAST attack
Solution: In Kerio Connect 8.0.1 to 8.4.2, set the DisableRC4SHA
configuration value to 0
in the mailserver.cfg
configuration file.
RC4 cipher may be considered by some other security scans as insecure due to the known attack vectors to this algorithm. Some US government organizations and agencies must follow FIPS-140-2 standard, which forbids RC4 ciphers.
In Kerio Connect version 8.3.0 to 8.4.0, set also the PreferECDHCipher
configuration value to 0
in the mailserver.cfg
configuration file.
Vulnerability to the POODLE and CVE-3566 attack
Solution: In Kerio Connect 8.3.3 and older, set the DisableSSLv3
configuration value to 1
in the mailserver.cfg
configuration file.
SSLv3 is also disabled if DisableTLSv1
is set to 1
.
Kerio Connect 8.3.4 and newer is not vulnerable to POODLE and CVE-3566.
IMPORTANT
If you disable TLSv1, some SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. servers may not be able to deliver messages to your server.
How to test SSL vulnerabilities
To test SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. vulnerabilities, use an online test, for example, at https://www.ssllabs.com/ssltest/