Enabling RequireTLS on Exchange Send Connectors
-
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:
@Dashrender also they got busted running in house, insecure email. Probably a lot of unsecured things that they thought they could make a quick buck running shoddily in house.
They both used external IT to manage at least their email.
Who was overseeing the external IT?
-
Ok - I'm waiting on final confirmation, but I'm pretty sure this is going to work.
I create a transport rule that looks for any email destine for @inebraska.com and denies the send unless you are a member of a specific group. While this still isn't perfectly locked down as I'd like (i.e. only to the single emails address on that domain), it's much better than a pure open connection.
While typing this I had another idea - sadly I can't mix them as the or operand appears to be the only option when having multiple exceptions on a rule. My thought was to only allow exceptions when sending to a specific email address and the sender being in the allowed group, but again - that darn operand.
I think allowing anyone in the company to email that one user, a user we know and trust, is better than allowing those in the allowed group to email anyone on the domain. Thoughts?
-
The above rules did work.
-
Well - today we have a hospital that doesn't have opportunistic enabled - they claim they have TLS enabled for outbound, but refuse it for inbound, nice.
They are looking into fixing this.
-
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
) -
@BRRABill said in Enabling RequireTLS on Exchange Send Connectors:
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
)In most of the cases where I've called, they have claimed misconfiguration as the reason it didn't work. In the cases of Cox and Internet Nebraska - both of these vendors purposefully made the choice to not have it.
-
The use of Require TLS is so low, that many SMTP providers will never realize they are misconfigured, or if there are problems caused by their security appliances, like the case of Cisco ASAs.
-
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@BRRABill said in Enabling RequireTLS on Exchange Send Connectors:
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
)In most of the cases where I've called, they have claimed misconfiguration as the reason it didn't work. In the cases of Cox and Internet Nebraska - both of these vendors purposefully made the choice to not have it.
WHich should have instantly caused any IT or business person to have avoided using them.
-
@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@BRRABill said in Enabling RequireTLS on Exchange Send Connectors:
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
)In most of the cases where I've called, they have claimed misconfiguration as the reason it didn't work. In the cases of Cox and Internet Nebraska - both of these vendors purposefully made the choice to not have it.
WHich should have instantly caused any IT or business person to have avoided using them.
Are you talking about cox and Internet Nebraska, or all of them, including those who were misconfigured?
-
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@BRRABill said in Enabling RequireTLS on Exchange Send Connectors:
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
)In most of the cases where I've called, they have claimed misconfiguration as the reason it didn't work. In the cases of Cox and Internet Nebraska - both of these vendors purposefully made the choice to not have it.
WHich should have instantly caused any IT or business person to have avoided using them.
Are you talking about cox and Internet Nebraska, or all of them, including those who were misconfigured?
Cox and Nebraska. By refusing to properly configure email security they are "bad actors" and should not be allowed to be involved in any way. They are the enemy that we should protect against, not do business with.
-
@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:
@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:
@BRRABill said in Enabling RequireTLS on Exchange Send Connectors:
But everyone has it. It's a simple check box.
(SARCASM for @scottalanmiller
)In most of the cases where I've called, they have claimed misconfiguration as the reason it didn't work. In the cases of Cox and Internet Nebraska - both of these vendors purposefully made the choice to not have it.
WHich should have instantly caused any IT or business person to have avoided using them.
Are you talking about cox and Internet Nebraska, or all of them, including those who were misconfigured?
Cox and Nebraska. By refusing to properly configure email security they are "bad actors" and should not be allowed to be involved in any way. They are the enemy that we should protect against, not do business with.
OH, well of course. I completely agree. And with our TLS required rule, we pretty much don't send email to them anymore (though, because we allow opportunistic TLS on inbound, we can accept email from them), with the exception as listed above, as required by management.
-
https://i.imgur.com/eJwqC0f.png
This picture doesn't really say much, and now that they've fixed their inbound TLS issue, perhaps the unencrypted number will be a lot smaller from now on... just thought I'd share what they shared.
