Ssl – Apache mod_ssl configuration for PCI compliance

One document I found recommends the following settings for PCI compliance:

postconf -e smtpd_tls_ciphers=medium
postconf -e smtpd_tls_protocols=\!SSLv2
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

Then restart the postfix daemon for good measure.
The document is actually for an unrelated VMWare product, but postfix is postfix, right?

;-)

The last time I read the PCI standards, they had the isolation requirements pretty well stated (the technical term in PCI language is to reduce the scope of the PCI compliant environment). So long as those flagrantly un-compliant servers have zero access to the compliant zone, it should fly. That would be a network segment that is fully firewalled from your normal network, and the rules on that firewall are themselves PCI-compliant.

We did much the same thing ourselves at my old job.

The key thing to keep in mind is that from the perspective of the PCI-compliant zone everything not in the zone is to be treated like the public Internet, no matter if it is also the same network that also warehouses your corporate IP. So long as you do that, you should be good.