ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to Require TLS for Outbound SMTP Connections with MDaemon

    Scheduled Pinned Locked Moved IT Discussion
    mdaemonalt-nsmtptlssecurityencryptionemail
    82 Posts 6 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through.

      Nothing... not of any concern to you. Your job is done and the package is handed off. Why do you keep asking about someone else's problems? What if their systems are compromised right now? Do you care that data that is not yours to protect is stolen?

      Target had credit card data stolen. It wasn't yours nor your responsibility. Are you concerned about that? No, it's of no concern to you personally. You are choosing to grasp at responsibilities that are not yours to grab.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • BRRABillB
        BRRABill @scottalanmiller
        last edited by

        @scottalanmiller said

        reckless personal vendetta.

        That sounds like a prequel to the Lethal Weapon franchise.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @BRRABill
          last edited by

          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          If I care about it, I'm not going to be handing it off.

          Now you've moved from IT into "recipient police" and are just off on a reckless personal vendetta. That's not appropriate for IT people to get involved in determining who should and should not be allowed to get PHI based on personal opinion.

          No no, I mean in things OTHER than PHI.

          If you are talking two companies with BAAs in place, then sure, my job is done when the secure connection is made.

          But if I am sending the proverbial ... body pics ... I don't want anyone's IT department to see them.

          That's up to their doctors or recipients. It's not your job to ensure that it gets to the "right" recipient internal to their organization, right? What if the doctor posts it on the wall? Not your concern, right? Impossible for you to do anything about that.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @BRRABill
            last edited by

            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

            Yes, these are all user issues, but ones that can be more mitigated with the solution I suggest.

            Can be, sure. But GPG can do that, too. Both cases do something that is unnecessary, complicated, creates actual risk for no benefit, costs time and money, make things hard, encourage people to stop being secure, etc.

            1 Reply Last reply Reply Quote 0
            • BRRABillB
              BRRABill @scottalanmiller
              last edited by

              @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

              Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through.

              Nothing... not of any concern to you. Your job is done and the package is handed off. Why do you keep asking about someone else's problems? What if their systems are compromised right now? Do you care that data that is not yours to protect is stolen?

              Target had credit card data stolen. It wasn't yours nor your responsibility. Are you concerned about that? No, it's of no concern to you personally. You are choosing to grasp at responsibilities that are not yours to grab.

              Perhaps our posts are crossing in the wind.

              I am talking about sensitive data I may want to e-mail.

              Are you saying you trust e-mailing something more than using a web service such as ShareFile or even ODfB?

              I am NOT talking about my business responsibility. I'm talking about keeping my sensitive info out of the hands of people who should not have it.

              I agree with you that for HIPAA purposes, say, sending an e-mail over TLS, once the connection is made and the e-mail delivered, you are free of concern. That is unless you sent it to the wrong person by mistake. Oooops. Though you could say if I inadvertently sent the ShareFile login to the wrong person, the same thing would happen. But really, what are the risk numbers for both of those things happening?

              scottalanmillerS 4 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @BRRABill
                last edited by

                @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                I am talking about sensitive data I may want to e-mail.

                So am I. Sensitive data that you need to get to another organization. Data you don't want to make so complicated to send that people work around your security.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  Are you saying you trust e-mailing something more than using a web service such as ShareFile or even ODfB?

                  I can't state this enough.... yes. I trust email the most for getting sensitive data from one organization to another. (Within reason, encrypted drives, carried by armed military carriers on submarines, notwithstanding.)

                  1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill
                    last edited by

                    So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

                    You'd be OK just e-mailing?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                      I am NOT talking about my business responsibility. I'm talking about keeping my sensitive info out of the hands of people who should not have it.

                      Well stop. As an IT person you should never think that way. That's going to lead you down some terrible roads. If your goal is to have a super private conversation on a personal level that the government can't see, use Telegram with all the security cranked up. If we are talking IT in legal businesses, stick to email.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                        So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

                        You'd be OK just e-mailing?

                        Personally, yes. Because I don't deal in drugs, state secrets or anything that I need to bother hiding from the government I would absolutely email anything that I am okay having be caught by legal discovery warrants.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill
                          last edited by

                          @scottalanmiller

                          Well, I can't say I agree with you, but I understand your side.

                          Be curious to hear what others have to say. Though I seem to recall much of this same sort of discussion in @Dashrender's thread.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                            I agree with you that for HIPAA purposes, say, sending an e-mail over TLS, once the connection is made and the e-mail delivered, you are free of concern. That is unless you sent it to the wrong person by mistake. Oooops. Though you could say if I inadvertently sent the ShareFile login to the wrong person, the same thing would happen. But really, what are the risk numbers for both of those things happening?

                            Risks are about the same - the risk of sending to wrong people is always there. With email, though, I suspect you could more easily automate some kinds of checks around that. In reality, that risk is decently high and people do it constantly regardless of the technology involved.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                              @scottalanmiller

                              Well, I can't say I agree with you, but I understand your side.

                              Be curious to hear what others have to say. Though I seem to recall much of this same sort of discussion in @Dashrender's thread.

                              The bigger question is really - what actual concerns do you have? What risk do you think you are trying to avoid?

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                But what if I don't trust the person at the other end?

                                So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important.

                                And that right there makes me question the use of encrypted email.

                                Turning on TLS only outbound messaging does not in anyway encrypt the email itself. It only creates an encrypted tunnel through which email flows to another email server.

                                Therefore the email would be completely visible to anyone on the receiving side's email server.

                                BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

                                  You'd be OK just e-mailing?

                                  Personally, yes. Because I don't deal in drugs, state secrets or anything that I need to bother hiding from the government I would absolutely email anything that I am okay having be caught by legal discovery warrants.

                                  He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                  And if you are really worried about that - then you MUST use something like GPG. But things that are less sensitive and just go between two email server using TLS.

                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @scottalanmiller

                                    Well, I can't say I agree with you, but I understand your side.

                                    Be curious to hear what others have to say. Though I seem to recall much of this same sort of discussion in @Dashrender's thread.

                                    The bigger question is really - what actual concerns do you have? What risk do you think you are trying to avoid?

                                    @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

                                    You'd be OK just e-mailing?

                                    Personally, yes. Because I don't deal in drugs, state secrets or anything that I need to bother hiding from the government I would absolutely email anything that I am okay having be caught by legal discovery warrants.

                                    He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                    And if you are really worried about that - then you MUST use something like GPG. But things that are less sensitive and just go between two email server using TLS.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @Dashrender
                                      last edited by

                                      @Dashrender said

                                      Therefore the email would be completely visible to anyone on the receiving side's email server.

                                      I believe @scottalanmiller will say that doesn't matter and you shouldn't think about it.

                                      DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @BRRABill
                                        last edited by

                                        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        @Dashrender said

                                        Therefore the email would be completely visible to anyone on the receiving side's email server.

                                        I believe @scottalanmiller will say that doesn't matter and you shouldn't think about it.

                                        In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

                                        BRRABillB 1 Reply Last reply Reply Quote 0
                                        • BRRABillB
                                          BRRABill @Dashrender
                                          last edited by

                                          @Dashrender said

                                          In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

                                          I agree with this now.

                                          Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            But what if I don't trust the person at the other end?

                                            So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important.

                                            And that right there makes me question the use of encrypted email.

                                            Turning on TLS only outbound messaging does not in anyway encrypt the email itself. It only creates an encrypted tunnel through which email flows to another email server.

                                            Therefore the email would be completely visible to anyone on the receiving side's email server.

                                            That's partially true. The email is encrypted in transit, so the email IS encrypted when it matters most. That it is decrypted at the other end is likely, but it might be immediately encrypted there as well. Encryption doesn't mean that someone else can't read it, just that only certain people can. That the email is visible to anyone is not realistically true. And the encryption of something like SendFile is exactly the same - it's only encrypted in transit. It's open once received on the other end. Anyone with access to the receiving computer can see it, or anyone with control of the keyed proxy chain. So you are back to the law being your protection in any business setting.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 2 / 5
                                            • First post
                                              Last post