ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to Require TLS for Outbound SMTP Connections with MDaemon

    Scheduled Pinned Locked Moved IT Discussion
    mdaemonalt-nsmtptlssecurityencryptionemail
    82 Posts 6 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @JaredBusch
      last edited by

      @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:

      http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine

      Wow, to me this is a severe feature failure.

      We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.

      At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.

      Just to be clear, MDaemon offers TLS, it just doesn't offer requiring it. So if someone, like @BRRABill was using MDaemon, and someone with TLS-only from, say, Office 365 contacted them, it would still work (if TLS was enabled), there is just no protection for @BRRABill making outbound emails using MDaemon alone to ensure that anything without TLS will be blocked.

      Obviously he can fix this with something trivial like a Postfix proxy, but that's an extra complication that should not be needed.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @JaredBusch
        last edited by

        @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here:

        http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine

        Wow, to me this is a severe feature failure.

        We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email.

        At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email.

        yeah what @JaredBusch said 😄

        If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this?

        Yeah, super interested in this.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @BRRABill
          last edited by

          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

          I still think a third part service (like ShareFIle for Healthcare, as we use) is more of an all-around solution.

          In what way? Encrypted email is the most standard, most common, most general case solution. It's super mature and isn't a "service" but a mechanism. All of those things are service that require you to trust a third party vendor, have a BAA, hope that someone else doesn't get compromised, explain to users, explain to customers, learn individually, etc. Encrypted email is standard and transparent. No end user training, no slip ups. It's how security is meant to be - simple, effective and transparent.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @BRRABill
            last edited by

            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

            The paranoid me, though, will still never trust e-mail.

            That's irrational you, not paranoid you. Paranoia would drive you to email as the most secure, most protected of these options. It's the only one that doesn't require you to trust someone else, the only one that lets you instantly hand off responsibility. All the others add risk and complexity that, if you were paranoid, you'd be worried about.

            BRRABillB 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @BRRABill
              last edited by

              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

              I know you're supposed to trust the IT on the other side, but ... eh.

              No, you are not. That's why encrypted email is so good, the moment the connection happens, you have zero need to trust their IT. It's not your problem in any way after that point. You've done your job to the demarcation point and are in the clear.

              If you use a third party non-email service then and only then must you trust their IT (and it's IT of some random vendor that you likely don't know at all) because they now control your data that you remain responsible for. That's why they have to provide you with a BAA and you have to trust them to stick to it because they are a service acting on your behalf.

              All of your stated concerns and paranoia would push you to encrypted email as the answer that best suits your desired outcomes.

              BRRABillB 1 Reply Last reply Reply Quote 0
              • BRRABillB
                BRRABill @scottalanmiller
                last edited by

                @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                The paranoid me, though, will still never trust e-mail.

                That's irrational you, not paranoid you. Paranoia would drive you to email as the most secure, most protected of these options. It's the only one that doesn't require you to trust someone else, the only one that lets you instantly hand off responsibility. All the others add risk and complexity that, if you were paranoid, you'd be worried about.

                But what if I don't trust the person at the other end?

                If I care about it, I'm not going to be handing it off.

                Now, granted, there is also someone to trust at, say, ShareFile. But if I was really concerned I could encrypt the file before storing it there.

                What's to stop the other side's IT from opening my mail when they weren't supposed to? Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through.

                Granted, you would hope that people you are exchanging PHI with would not have this issue. But I am talking more about e-mail in general.

                Yes, these are all user issues, but ones that can be more mitigated with the solution I suggest.

                scottalanmillerS 6 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  But what if I don't trust the person at the other end?

                  So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill @scottalanmiller
                    last edited by

                    @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                    @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                    I know you're supposed to trust the IT on the other side, but ... eh.

                    No, you are not. That's why encrypted email is so good, the moment the connection happens, you have zero need to trust their IT. It's not your problem in any way after that point. You've done your job to the demarcation point and are in the clear.

                    If you use a third party non-email service then and only then must you trust their IT (and it's IT of some random vendor that you likely don't know at all) because they now control your data that you remain responsible for. That's why they have to provide you with a BAA and you have to trust them to stick to it because they are a service acting on your behalf.

                    All of your stated concerns and paranoia would push you to encrypted email as the answer that best suits your desired outcomes.

                    It's not my problem if I all care about is a CYA to deliver the data securely.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                      If I care about it, I'm not going to be handing it off.

                      Now you've moved from IT into "recipient police" and are just off on a reckless personal vendetta. That's not appropriate for IT people to get involved in determining who should and should not be allowed to get PHI based on personal opinion.

                      BRRABillB 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                        Now, granted, there is also someone to trust at, say, ShareFile. But if I was really concerned I could encrypt the file before storing it there.

                        No, there are hundreds of people that you must trust by law are ShareFile. HIPAA makes you responsible to have to trust them. With encrypted email, wanting to trust someone is something you are deciding to care about personally and is not related to HIPAA or business requirements.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                          What's to stop the other side's IT from opening my mail when they weren't supposed to?

                          Nothing, and it isn't your concern.

                          1 Reply Last reply Reply Quote 0
                          • BRRABillB
                            BRRABill @scottalanmiller
                            last edited by

                            @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                            If I care about it, I'm not going to be handing it off.

                            Now you've moved from IT into "recipient police" and are just off on a reckless personal vendetta. That's not appropriate for IT people to get involved in determining who should and should not be allowed to get PHI based on personal opinion.

                            No no, I mean in things OTHER than PHI.

                            If you are talking two companies with BAAs in place, then sure, my job is done when the secure connection is made.

                            But if I am sending the proverbial ... body pics ... I don't want anyone's IT department to see them.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                              Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through.

                              Nothing... not of any concern to you. Your job is done and the package is handed off. Why do you keep asking about someone else's problems? What if their systems are compromised right now? Do you care that data that is not yours to protect is stolen?

                              Target had credit card data stolen. It wasn't yours nor your responsibility. Are you concerned about that? No, it's of no concern to you personally. You are choosing to grasp at responsibilities that are not yours to grab.

                              BRRABillB 1 Reply Last reply Reply Quote 0
                              • BRRABillB
                                BRRABill @scottalanmiller
                                last edited by

                                @scottalanmiller said

                                reckless personal vendetta.

                                That sounds like a prequel to the Lethal Weapon franchise.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @BRRABill
                                  last edited by

                                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                  If I care about it, I'm not going to be handing it off.

                                  Now you've moved from IT into "recipient police" and are just off on a reckless personal vendetta. That's not appropriate for IT people to get involved in determining who should and should not be allowed to get PHI based on personal opinion.

                                  No no, I mean in things OTHER than PHI.

                                  If you are talking two companies with BAAs in place, then sure, my job is done when the secure connection is made.

                                  But if I am sending the proverbial ... body pics ... I don't want anyone's IT department to see them.

                                  That's up to their doctors or recipients. It's not your job to ensure that it gets to the "right" recipient internal to their organization, right? What if the doctor posts it on the wall? Not your concern, right? Impossible for you to do anything about that.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @BRRABill
                                    last edited by

                                    @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                    Yes, these are all user issues, but ones that can be more mitigated with the solution I suggest.

                                    Can be, sure. But GPG can do that, too. Both cases do something that is unnecessary, complicated, creates actual risk for no benefit, costs time and money, make things hard, encourage people to stop being secure, etc.

                                    1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                      Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through.

                                      Nothing... not of any concern to you. Your job is done and the package is handed off. Why do you keep asking about someone else's problems? What if their systems are compromised right now? Do you care that data that is not yours to protect is stolen?

                                      Target had credit card data stolen. It wasn't yours nor your responsibility. Are you concerned about that? No, it's of no concern to you personally. You are choosing to grasp at responsibilities that are not yours to grab.

                                      Perhaps our posts are crossing in the wind.

                                      I am talking about sensitive data I may want to e-mail.

                                      Are you saying you trust e-mailing something more than using a web service such as ShareFile or even ODfB?

                                      I am NOT talking about my business responsibility. I'm talking about keeping my sensitive info out of the hands of people who should not have it.

                                      I agree with you that for HIPAA purposes, say, sending an e-mail over TLS, once the connection is made and the e-mail delivered, you are free of concern. That is unless you sent it to the wrong person by mistake. Oooops. Though you could say if I inadvertently sent the ShareFile login to the wrong person, the same thing would happen. But really, what are the risk numbers for both of those things happening?

                                      scottalanmillerS 4 Replies Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @BRRABill
                                        last edited by

                                        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                        I am talking about sensitive data I may want to e-mail.

                                        So am I. Sensitive data that you need to get to another organization. Data you don't want to make so complicated to send that people work around your security.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @BRRABill
                                          last edited by

                                          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                          Are you saying you trust e-mailing something more than using a web service such as ShareFile or even ODfB?

                                          I can't state this enough.... yes. I trust email the most for getting sensitive data from one organization to another. (Within reason, encrypted drives, carried by armed military carriers on submarines, notwithstanding.)

                                          1 Reply Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill
                                            last edited by

                                            So if you had something personal you wanted to send...Not business related, just personal but highly sensitive...

                                            You'd be OK just e-mailing?

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 3 / 5
                                            • First post
                                              Last post