At last, I have a clean PCI DSS.
There's always been a few non-critical remarks in the test report, but this time around, I got a clean report.
To get rid of the report's uneasiness about the secure server accepting mail, I changed one line in sendmail.mc to
DAEMON_OPTIONS(`Port=smtp, Addr=127.0.0.1, Name=MTA')dnl
What that does, is disallow email from other servers. That's not a real vulnerability, but the PCI DSS report used to mention it. And I don't actually receive email on that sever, so it's no loss to me.
I also added these lines to my startup script.
iptables -I INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -I OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
That stops people from finding out the date and time on my server. I don't see this as a big problem, because it's easy for people to see that my server is in the UK, and it's really easy to find out the time here. But, the PCI DSS report has always reported it as an information leakage. So I've blocked it.
Finally, there was a report that my certificate used SHA-256. It does, but only for the root certificate, and browsers dn't cheack SHA-256, they check the whole certificate. So that isn't a vulnerability at all, it's been a false positive for years, and each time I did a scan, I did a cut-and-paste of my explanation why it's a false positive, and they always accepted it. But now they've fixed their false positive!
That leaves only one thing in the report - that the server is accessible via https. Well yes, it is, because that's my Secure Server, and if all access to it is blockedd, it's as useful as a chololate teapot.