How to Require TLS for Outbound SMTP Connections with MDaemon
-
@BRRABill and I are discussing this and wondering how this is to be done. Requiring for inbound SMTP is fine, as well, but not a strict requirement. We know that TLS for SMTP can be enabled optionally, but we want to know how to disallow SMTP connections when there is no TLS using Alt-N's MDaemon.
-
Tagging @brad_altn
-
It's possibly a simple setting I am missing.
I don't read too good.
-
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
-
The reason I was asking is because offline @scottalanmiller were having a discussion about the security of e-mail.
His take is that e-mail is inherently secure as long as you "turn on that one trivial setting" to force encrypted connections.
I never found that option in MDaemon, and also see servers connecting to mine that also do not have TLS enabled, so I am assuming it is out there in the wild. Though a quick look through looks like almost all have STARTTLS in the SMTP log. So maybe the answer is that all servers do it anyway, or at least any server you'd want to talk to. But for HIPAA or other regulatory requirements, that's probably not good enough.
Is there an easy way in MDaemon to see how many connections connect via TLS versus not?
Also can you speak to the HIPAA compliant section of your website? It looks to me that MDaemon needs an additional piece of software to be compliant. (Another discussion I was having!)
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Thanks for getting back. I'd say that this needs to be very high on the wish list as this is considered necessary or, at the very least prudent, for HIPAA compliance and some other security scenarios where using TLS only email is rather often a recommendation.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Also can you speak to the HIPAA compliant section of your website? It looks to me that MDaemon needs an additional piece of software to be compliant. (Another discussion I was having!)
He can't because software is not HIPAA compliant conceptually. It is how it is used. There is no HIPAA requirements strictly for email, so there is no way to certify software in that manner.
At a simpler level, consider paper. Is paper HIPAA compliant? No, it's just paper. How you use that paper, store it, destroy it, etc. determines if the use of paper was HIPAA compliant.
HIPAA certifies verbs (how things are done) not nouns (things used.)
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Also can you speak to the HIPAA compliant section of your website? It looks to me that MDaemon needs an additional piece of software to be compliant. (Another discussion I was having!)
He can't because software is not HIPAA compliant conceptually. It is how it is used. There is no HIPAA requirements strictly for email, so there is no way to certify software in that manner.
At a simpler level, consider paper. Is paper HIPAA compliant? No, it's just paper. How you use that paper, store it, destroy it, etc. determines if the use of paper was HIPAA compliant.
HIPAA certifies verbs (how things are done) not nouns (things used.)
Paper CAN be HIPAA compliant. It can also NOT be.
@brad_altn The argument here is over this page:
http://www.altn.com/email-encryption/I contend that it is saying MD cannot be used in a HIPAA compliant situation without the use of the additional software.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Paper CAN be HIPAA compliant. It can also NOT be.
That was exactly my point. It's the use of the paper, not he paper itself that is or is not compliant. Just like MDaemon. Paper and MDaemon are nouns. You can use either in a compliant or non-compliant way. That's up to you. I can make all traffic from MDaemon encrypted, even if MDaemon doesn't provide this themselves. I can lock it to only talk to known accounts. I can encrypt the data at rest. I can do all kinds of things that take me way above and beyond HIPAA requirements or recommendations. But I can also run it with simple passwords, shared accounts, no encryption anywhere, etc.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I contend that it is saying MD cannot be used in a HIPAA compliant situation without the use of the additional software.
And I pointed out that it says nothing of the sort and it isn't appropriate to look for such a statement as it is conceptually incorrect. They simply pointed out that they can offer you a HIPAA BAA certified service as well. A BAA cannot be applied to a product like paper or an email server and therefore is not applicable. The line item is about a BAA, not about HIPAA, so there is nothing on that page even remotely discussing or suggesting that MDaemon has any limitations on use in a HIPAA environment.
This is confusing because you are 1) looking for something that is conceptually incorrect and 2) misreading the statement about there being a service offering a BAA as the other product not being HIPAA capable, which are unrelated concepts.
-
Remember, only services have BAAs. MDaemon is not a service. But someone that runs MDaemon as a service can certainly run it in such a way that they could give you a BAA. But unless they are running it as a service (verb) they can't do that as BAAs because the BAA refers to the verb, not the noun. Otherwise you'd need BAA paper, pencils, etc.
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
yeah what @JaredBusch said
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
yeah what @JaredBusch said
If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this?
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
yeah what @JaredBusch said
If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this?
Yeah I would like to get involved in re-reading that as well.
To be honest, I did not realize email transport encryption was such a prevalent thing. Nor that is was so acceptable as a secure solution.
I still think a third part service (like ShareFIle for Healthcare, as we use) is more of an all-around solution. But I can understand if you just want to hand-off an email to a client and wash your hands of it, this could be an option.
The paranoid me, though, will still never trust e-mail. I know you're supposed to trust the IT on the other side, but ... eh.
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
Just to be clear, MDaemon offers TLS, it just doesn't offer requiring it. So if someone, like @BRRABill was using MDaemon, and someone with TLS-only from, say, Office 365 contacted them, it would still work (if TLS was enabled), there is just no protection for @BRRABill making outbound emails using MDaemon alone to ensure that anything without TLS will be blocked.
Obviously he can fix this with something trivial like a Postfix proxy, but that's an extra complication that should not be needed.
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:
http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine
Wow, to me this is a severe feature failure.
We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.
At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.
yeah what @JaredBusch said
If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this?
Yeah, super interested in this.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I still think a third part service (like ShareFIle for Healthcare, as we use) is more of an all-around solution.
In what way? Encrypted email is the most standard, most common, most general case solution. It's super mature and isn't a "service" but a mechanism. All of those things are service that require you to trust a third party vendor, have a BAA, hope that someone else doesn't get compromised, explain to users, explain to customers, learn individually, etc. Encrypted email is standard and transparent. No end user training, no slip ups. It's how security is meant to be - simple, effective and transparent.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
The paranoid me, though, will still never trust e-mail.
That's irrational you, not paranoid you. Paranoia would drive you to email as the most secure, most protected of these options. It's the only one that doesn't require you to trust someone else, the only one that lets you instantly hand off responsibility. All the others add risk and complexity that, if you were paranoid, you'd be worried about.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I know you're supposed to trust the IT on the other side, but ... eh.
No, you are not. That's why encrypted email is so good, the moment the connection happens, you have zero need to trust their IT. It's not your problem in any way after that point. You've done your job to the demarcation point and are in the clear.
If you use a third party non-email service then and only then must you trust their IT (and it's IT of some random vendor that you likely don't know at all) because they now control your data that you remain responsible for. That's why they have to provide you with a BAA and you have to trust them to stick to it because they are a service acting on your behalf.
All of your stated concerns and paranoia would push you to encrypted email as the answer that best suits your desired outcomes.
