ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to Require TLS for Outbound SMTP Connections with MDaemon

    IT Discussion
    mdaemon alt-n smtp tls security encryption email
    6
    82
    13.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      But what if I don't trust the person at the other end?

      So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important.

      And that right there makes me question the use of encrypted email.

      Turning on TLS only outbound messaging does not in anyway encrypt the email itself. It only creates an encrypted tunnel through which email flows to another email server.

      Therefore the email would be completely visible to anyone on the receiving side's email server.

      BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

        You'd be OK just e-mailing?

        Personally, yes. Because I don't deal in drugs, state secrets or anything that I need to bother hiding from the government I would absolutely email anything that I am okay having be caught by legal discovery warrants.

        He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

        And if you are really worried about that - then you MUST use something like GPG. But things that are less sensitive and just go between two email server using TLS.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @scottalanmiller

          Well, I can't say I agree with you, but I understand your side.

          Be curious to hear what others have to say. Though I seem to recall much of this same sort of discussion in @Dashrender's thread.

          The bigger question is really - what actual concerns do you have? What risk do you think you are trying to avoid?

          @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

          You'd be OK just e-mailing?

          Personally, yes. Because I don't deal in drugs, state secrets or anything that I need to bother hiding from the government I would absolutely email anything that I am okay having be caught by legal discovery warrants.

          He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

          And if you are really worried about that - then you MUST use something like GPG. But things that are less sensitive and just go between two email server using TLS.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill @Dashrender
            last edited by

            @Dashrender said

            Therefore the email would be completely visible to anyone on the receiving side's email server.

            I believe @scottalanmiller will say that doesn't matter and you shouldn't think about it.

            DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
            • DashrenderD
              Dashrender @BRRABill
              last edited by

              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

              @Dashrender said

              Therefore the email would be completely visible to anyone on the receiving side's email server.

              I believe @scottalanmiller will say that doesn't matter and you shouldn't think about it.

              In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

              BRRABillB 1 Reply Last reply Reply Quote 0
              • BRRABillB
                BRRABill @Dashrender
                last edited by

                @Dashrender said

                In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

                I agree with this now.

                Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  But what if I don't trust the person at the other end?

                  So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important.

                  And that right there makes me question the use of encrypted email.

                  Turning on TLS only outbound messaging does not in anyway encrypt the email itself. It only creates an encrypted tunnel through which email flows to another email server.

                  Therefore the email would be completely visible to anyone on the receiving side's email server.

                  That's partially true. The email is encrypted in transit, so the email IS encrypted when it matters most. That it is decrypted at the other end is likely, but it might be immediately encrypted there as well. Encryption doesn't mean that someone else can't read it, just that only certain people can. That the email is visible to anyone is not realistically true. And the encryption of something like SendFile is exactly the same - it's only encrypted in transit. It's open once received on the other end. Anyone with access to the receiving computer can see it, or anyone with control of the keyed proxy chain. So you are back to the law being your protection in any business setting.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                    @Dashrender said

                    Therefore the email would be completely visible to anyone on the receiving side's email server.

                    I believe @scottalanmiller will say that doesn't matter and you shouldn't think about it.

                    That's correct. Unless you are doing something criminal, why do you care?

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                      He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                      Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                      BRRABillB DashrenderD 2 Replies Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill @scottalanmiller
                        last edited by

                        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                        He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                        Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                        SendFile would be web-based. Your favorite!

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                          @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                          He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                          Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                          LOL exactly!

                          Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.

                          scottalanmillerS BRRABillB 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            Let's lay out the risks here:

                            Email: File gets to the receiving organization safely. But once there, we are concerned that the organization may save it unencrypted to a file server (Exchange is a file server too, just a niche one) where "anyone" can access it. A hacker getting access can read it.

                            Super Cool Expensive Non-Email File Sending Service: File gets sent to the recipient at the organization who decrypts the file and saves it to their desktop and/or to the mapped drive on the central file server. Where, in the end, it is more likely to be exposed to hackers, other employees not restricted by the bounds of IT rules, etc.

                            Honestly, of the two, they are about equal in getting the email to the recipient. Of the two, I'd argue that both have the same final risk type of you not being able to control how data is stored. But the email type has the highest chance of being maintained in a more secure server rather than forcing an end user to store it somewhere random.

                            Bottom line, this is an illusion of control panic response. Once you send a file, it is out of your control. If you are talking about a spy sending to another spy where both really, really trust each other and each one goes through training and they both understand the risks and processes, there is something to be said for that. For any normal person, including personal friends... you need to understand that you are not in control of data that you send and you can't magically get that control by paying for some silly web site that runs a nice marketing campaign to make you feel safe.

                            1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @BRRABill
                              last edited by

                              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                              @Dashrender said

                              In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

                              I agree with this now.

                              Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)

                              The believe that anything short of fully encrypting the files (a la GPG) will prevent your pictures from being hacked is crazy.. it's like thinking snap chat will prevent your nudes from getting out there. Someone can screen capture the screen, or take a picture with another camera... bam again your picture are out there! 🙂

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                LOL exactly!

                                Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.

                                Right, they attacked the account. Do that to SendFile and the same problem exists.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @BRRABill
                                  last edited by

                                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                  Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                  SendFile would be web-based. Your favorite!

                                  So?

                                  BRRABillB 1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @Dashrender
                                    last edited by

                                    @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                    Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                    LOL exactly!

                                    Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.

                                    But that was all hacking of accounts, not a flaw in the system.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                      @Dashrender said

                                      In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.

                                      I agree with this now.

                                      Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)

                                      The believe that anything short of fully encrypting the files (a la GPG) will prevent your pictures from being hacked is crazy.. it's like thinking snap chat will prevent your nudes from getting out there. Someone can screen capture the screen, or take a picture with another camera... bam again your picture are out there! 🙂

                                      And even GPG... it's normally stripped on receipt. So like TLS, it generally vanishes instantly and automatically. The file cannot be viewed unless it is decrypted. So the encryption is guaranteed to be removed at some point.

                                      1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill @Dashrender
                                        last edited by

                                        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                        Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                        SendFile would be web-based. Your favorite!

                                        So?

                                        So there is no need for local download.

                                        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @BRRABill
                                          last edited by

                                          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                          @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                          @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                          @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                          He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                          Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                          LOL exactly!

                                          Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.

                                          But that was all hacking of accounts, not a flaw in the system.

                                          it wasn't even hacking - it was guessing passwords - if you call that hacking, ok fine.. I don't.. but whatever.

                                          I agree, it wasn't from a flaw in Apple's Security, it was a flaw in the person picking a password that was easy to guess for others.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @BRRABill
                                            last edited by

                                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                            He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

                                            Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

                                            SendFile would be web-based. Your favorite!

                                            So?

                                            So there is no need for local download.

                                            There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?

                                            This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.

                                            BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 3 / 5
                                            • First post
                                              Last post