A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically:
Description: SSL Certificate with Wrong Hostname
Synoposis: The SSL certificate for this
service is for a different host.
Impact: The commonName (CN) of the SSL certificate
presented on this service is for a different machine.
The mail server uses sendmail (patched) and provides email service for a number of domains. The server itself has a valid SSL certificate, but it does not match each domain (as we add/remove domains all the time as clients move around).
Seems SecurityMerics is the only ASV that marks this as failing PCI. Trustwave, McAfee, etc… do not see this as failing PCI.
Is this issue truly a PCI failure? Or is it just SecuritMetrics being wrong?
Best Answer
This is what they call a false positive. We are using a wild card certificate so therefore the host name and certificate will not match. The certificate name will be the wild card name and the host would be domain.yourdomain.com and the SSL being a wild card will be *.yourdomain.com
Simply ask security metrics to whitelist that specific error if you are using a wild card cert.
You will have to get that to be the only error for the specific IP address. They can omit false positives.