PCI compliance pop3 dovecot SSL failure fix

A BOFH moment of BITCH

You know you are in hell when folk like securitymetrics.com do scan on your system. Oh they don't just test normal stuff they bombard your server with every known exploit there is for over six hours taxing the hell out of your system and driving loads up as they bombard your poor computer with so many bogus requests your little home grown system GROANS

I mean they *should* know theoceanharvest.com is hosted on linux so why hit us with every known microsoft exploit?? we shrug it off. So naturally we passed the PCI test for the past 4 months but then.. out of the blue WE FAILED!!

TCP 110 pop3 5 Synopsis : The remote server's SSL certificate has already expired. Description : This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Solution: Purchase or generate a new SSL certificate to replace the existing one. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)


Because the ssl certificate setup by dovecot had expired... so folk (which is nobody on this server) who used our pop3 mail service on port 110 would have gotten an expired cert notice.

So this results because when you blithely install dovecot from say centos (doing yum install dovecot) turns out it installs a certificate that is good for a year. A year later that cert is no good according to the anal douchbags at securitymetrics.com

Why does this matter? Well our merchant bank requires us to be PCI compliant or we have to pay a bunch of extra fees, so now suddenly we're in trouble all because the pop3 mail SSL cert (which we don't use) is out of date (even though an expired cert still allows fully encrypted data). Assholes

So if you EVER go this problem here is the fix.

log into your server as root or sudo to root

do locate mkcert.sh

or look in the standard spot

this is a simple shell script that executes when you install dovecot. Edit this bitch using vi or nano or what not
at line 36

edit this line
OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2

and change -days 365 to -days 12312312 or a million or whatever. Make those days a large number so you never have to do it again.

then remove the old certs:

rm /etc/pki/dovecot/certs/dovecot.pem
rm /etc/pki/dovecot/certs/private/dovecot.pem

then do

sh /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh

as root and you'll have new pop3 certs installed which will be good for another however many days you set in the mkcert file.

I made mine good for 20 years.

Hope this helps any PCI testing out there.. it was a bitch to figure out why we failed for freaking pop3 ssl certs but it did the trick

much love
F/V Harvester -- Fishing for a living, unix geeking for love.

just got this: Thanks a lot

Thank you for using SecurityMetrics for your PCI DSS compliance.

Congratulations, your PCI compliance has been validated as of the date and time of this email! We encourage you to continue to maintain PCI compliance and keep your customer data secure.

Some acquiring banks or processors charge their merchants a PCI non-compliance fee. Since you have now validated your PCI compliance you should not be charged PCI non-compliance fees (if
your acquiring bank or processor charges these fees). You do not need to contact your acquirer to confirm your PCI compliance status because SecurityMetrics provides your acquirer with access to
view your PCI compliance status.

If you have any questions regarding your PCI compliance validation contact our Technical Support Department at 801.705.5700 (USA) or 0844 561 1658 (UK), or by email at

We appreciate your business.

SecurityMetrics Support Team