How to Require TLS for Outbound SMTP Connections with MDaemon
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said
In a business setting he is correct. You have a BAA with the company. It's that company's responsibility to ensure their internal staff is doing the right thing, not yours. You're only responsibiliy in HIPAA here is to not transit the data over a public connection unencrypted.
I agree with this now.
Still ain't sending my nudie pics. (HYPOTHETICAL. NO ONE WOULD WANT TO SEE THEM TRUST ME.)
The believe that anything short of fully encrypting the files (a la GPG) will prevent your pictures from being hacked is crazy.. it's like thinking snap chat will prevent your nudes from getting out there. Someone can screen capture the screen, or take a picture with another camera... bam again your picture are out there!
And even GPG... it's normally stripped on receipt. So like TLS, it generally vanishes instantly and automatically. The file cannot be viewed unless it is decrypted. So the encryption is guaranteed to be removed at some point.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
LOL exactly!
Just like the nudes in Apple's iCloud. all those celebs. The transmission from the phone to iCloud was secure via TLS, but hacking (OK really password guessing) allowed hackers to gain access to their account where the photos were stored unencrypted (or even if they were encrypted, they were decrypted by the same apple ID and password) and bam hackers have your nudes.
But that was all hacking of accounts, not a flaw in the system.
it wasn't even hacking - it was guessing passwords - if you call that hacking, ok fine.. I don't.. but whatever.
I agree, it wasn't from a flaw in Apple's Security, it was a flaw in the person picking a password that was easy to guess for others.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
Again, you guys were discussing nude pictures.
Yeah, for real business data you would need to download.
But so would you for e-mail.
Except now I know you downloaded it.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
it wasn't even hacking - it was guessing passwords - if you call that hacking, ok fine.. I don't.. but whatever.
Social Engineering is classified as hacking. Always has been, even before hacking was a computer term.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems
unlikelyimpossible.FTFY
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
There's not? So any data minipulation that the receiving party needs to do to that data can all be done on sharefile's servers? sharefile integrates directly into whatever EHR is in use and can just access the data at will?
This seems unlikely. The data will almost assuredly need to be pulled out of sharefile and used in some other place. i.e. you send an Excel file via sharefile to the client... they probably don't have Excel online integrated into sharefile - so they would have to download the file and then edit it on their desktop, etc.
Again, you guys were discussing nude pictures.
Even pictures, if you want to display them, they have to be downloaded. SendFile or any service like that can't show you the images remotely and not have them downloaded to the local machine, it's physically impossible.
-
@scottalanmiller said
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I want to go into a forest and contemplate this sentence for a bit.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Except now I know you downloaded it.
I know that in either case. In one case, though, I know to whom I made the connection and sent the file. In the other I have to trust a third party that I gave the file to that they did or did not give it to the right person.
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
-
@travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
Yup, if no one wants to see you naked, don't take the pictures!
Is that what you meant?
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
Yup, if no one wants to see you naked, don't take the pictures!
Is that what you meant?
Well, there was 1 person who liked seeing me naked....
Just in general. If it's not documented, it can't be "found".
-
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
So how would you use that setting to accomplish what we want?
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.
-
@scottalanmiller Not yet, but I believe this functionality may be in the works for a later release.
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.
This is what was replied to me on the MD forum...
*Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?
Unless you are using a gateway or DomainPOP to retrieve incoming mail from non-local senders anything you do to try and prevent your own users from sending without encryption will affect incoming mail as well. And there's not a way to force servers not under your control to use encryption if they are not configured to use it.
Here are a couple of suggestions, but without knowing more about your environment, I can't say that it will work for you.
-
If all of your own users are going to be sending and receiving from the local network (on site, versus someone working from home or a hotel or a coffee shop out in the world), you could enable SSL, STARTTLS, and STLS under Security | Security Settings | SSL & TLS, and enabled the dedicated ports option as well. Then your users would all have to configure their mail clients to use the dedicated ports. Then you can block the non-SSL ports on your internal network, and only allow connections from outside your network to the MDaemon server.
-
If you're in a position where you can say "If you don't use encryption, I don't want mail send from your server" you could try setting a wildcard entry in the STARTTLS Required List under Security | Security Settings | SSL & TLS. For IPv4 it's ...
I'm not certain what the wildcard for all IPv6 addresses would be, and I don't have a test environment using it set up at the moment. If you need that, let me know and I will look into it for you. I don't really recommend this option at this time, it's likely to cause you headaches.
If you don't want to force all non-local incoming mail to use encryption, and you have users who connect to your server from outside your network, trying to force them to use encryption while letting non-local servers still connect without is difficult, and ends up being more a matter of user education & company policy than being technology based,
If you can share more about what your environment is like I might be able to give more suggestions.*
-
-
As mentioned in Item 2 of your last post, I was also going to mention using wildcard entries on the STARTTLS Required List. I would recommend testing this first, however, and review your MDaemon logs to ensure that the connection is using TLS.