How to Require TLS for Outbound SMTP Connections with MDaemon
-
Let's lay out the risks here:
Email: File gets to the receiving organization safely. But once there, we are concerned that the organization may save it unencrypted to a file server (Exchange is a file server too, just a niche one) where "anyone" can access it. A hacker getting access can read it.
Super Cool Expensive Non-Email File Sending Service: File gets sent to the recipient at the organization who decrypts the file and saves it to their desktop and/or to the mapped drive on the central file server. Where, in the end, it is more likely to be exposed to hackers, other employees not restricted by the bounds of IT rules, etc.
Honestly, of the two, they are about equal in getting the email to the recipient. Of the two, I'd argue that both have the same final risk type of you not being able to control how data is stored. But the email type has the highest chance of being maintained in a more secure server rather than forcing an end user to store it somewhere random.
Bottom line, this is an illusion of control panic response. Once you send a file, it is out of your control. If you are talking about a spy sending to another spy where both really, really trust each other and each one goes through training and they both understand the risks and processes, there is something to be said for that. For any normal person, including personal friends... you need to understand that you are not in control of data that you send and you can't magically get that control by paying for some silly web site that runs a nice marketing campaign to make you feel safe.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said
In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.
I agree with this now.
Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)
The believe that anything short of fully encrypting the files (a la GPG) will prevent your pictures from being hacked is crazy.. it's like thinking snap chat will prevent your nudes from getting out there. Someone can screen capture the screen, or take a picture with another camera... bam again your picture are out there!
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
LOL exactly!
Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.
Right, they attacked the account. Do that to SendFile and the same problem exists.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
LOL exactly!
Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.
But that was all hacking of accounts, not a flaw in the system.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said
In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.
I agree with this now.
Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)
The believe that anything short of fully encrypting the files (a la GPG) will prevent your pictures from being hacked is crazy.. it's like thinking snap chat will prevent your nudes from getting out there. Someone can screen capture the screen, or take a picture with another camera... bam again your picture are out there!
And even GPG... it's normally stripped on receipt. So like TLS, it generally vanishes instantly and automatically. The file cannot be viewed unless it is decrypted. So the encryption is guaranteed to be removed at some point.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
LOL exactly!
Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.
But that was all hacking of accounts, not a flaw in the system.
it wasn't even hacking - it was guessing passwords - if you call that hacking, ok fine.. I don't.. but whatever.
I agree, it wasn't from a flaw in Apple's Security, it was a flaw in the person picking a password that was easy to guess for others.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
Again, you guys were discussing nude pictures.
Yeah, for real business data you would need to download.
But so would you for e-mail.
Except now I know you downloaded it.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
it wasn't even hacking - it was guessing passwords - if you call that hacking, ok fine.. I don't.. but whatever.
Social Engineering is classified as hacking. Always has been, even before hacking was a computer term.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems
unlikelyimpossible.FTFY
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
Again, you guys were discussing nude pictures.
Even pictures, if you want to display them, they have to be downloaded. SendFile or any service like that can't show you the images remotely and not have them downloaded to the local machine, it's physically impossible.
-
@scottalanmiller said
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I want to go into a forest and contemplate this sentence for a bit.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Except now I know you downloaded it.
I know that in either case. In one case, though, I know to whom I made the connection and sent the file. In the other I have to trust a third party that I gave the file to that they did or did not give it to the right person.
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
-
@travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
Yup, if no one wants to see you naked, don't take the pictures!
Is that what you meant?
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
Yup, if no one wants to see you naked, don't take the pictures!
Is that what you meant?
Well, there was 1 person who liked seeing me naked....
Just in general. If it's not documented, it can't be "found".
-
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.