PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) is a proprietary security standard required by some banks in order to allow the company to process and store data about credit cards and payments.

To be in compliance with PCI DSS, some 3rd party security companies can verify the compliance. Usually, they run Nessus scanner and report any potential vulnerabilities or insecure issues.

The administrator can configure Kerio Connect to use supported cipher suits to ensure PCI DSS compliance. For more information refer to Configuring SSL/TLS in Kerio Connect.

Kerio Connect and PCI

NOTE

Always upgrade to the latest version of Kerio Connect for the best security!

If you run Kerio Connect and have difficulties to be granted the compliance, try the following:

The list of known incompatibilities

Vulnerability to the TLS CBC attack

Solution: In Kerio Connect 8.0.0 and newer, set the SSLDontInsertEmptyFragments configuration value to 0 in the mailserver.cfg configuration file. Users with Kerio Outlook Connector (Offline edition) 8.0.2 and older on Windows XP systems may not be able to connect to the server or synchronize the data.

Vulnerability to the SSL BEAST attack

Solution: In Kerio Connect 8.0.1 to 8.4.2, set the DisableRC4SHA configuration value to 0 in the mailserver.cfg configuration file.

RC4 cipher may be considered by some other security scans as insecure due to the known attack vectors to this algorithm. Some US government organizations and agencies must follow FIPS-140-2 standard, which forbids RC4 ciphers.

In Kerio Connect version 8.3.0 to 8.4.0, set also the PreferECDHCipher configuration value to 0 in the mailserver.cfg configuration file.

Vulnerability to the POODLE and CVE-3566 attack

Solution: In Kerio Connect 8.3.3 and older, set the DisableSSLv3 configuration value to 1 in the mailserver.cfg configuration file.

SSLv3 is also disabled if DisableTLSv1 is set to 1.

Kerio Connect 8.3.4 and newer is not vulnerable to POODLE and CVE-3566.

IMPORTANT

If you disable TLSv1, some SMTP servers may not be able to deliver messages to your server.

How to test SSL vulnerabilities

To test SSL vulnerabilities, use an online test, for example, at https://www.ssllabs.com/ssltest/

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Securing Kerio Connect

You can secure your Kerio Connect by: Restricting communication on firewall to necessary...

Configuring anti-spoofing in Kerio Connect

About Anti-spoofing Spammers can "spoof" your email address and pretend their messages are...

Password policy in Kerio Connect

To secure users and their passwords in Kerio Connect: Advise users to create strong...

Authenticating messages with DKIM

DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a special...

Configuring DNS for DKIM

Adding a DKIM record to your DNS The process of adding a DKIM record to your DNS may vary...