ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to Require TLS for Outbound SMTP Connections with MDaemon

    Scheduled Pinned Locked Moved IT Discussion
    mdaemonalt-nsmtptlssecurityencryptionemail
    82 Posts 6 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @travisdh1
      last edited by

      @travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

      He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

      Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

      SendFile would be web-based. Your favorite!

      So?

      So there is no need for local download.

      If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.

      I live by this.

      Yup, if no one wants to see you naked, don't take the pictures!

      Is that what you meant?

      travisdh1T 1 Reply Last reply Reply Quote 0
      • travisdh1T
        travisdh1 @scottalanmiller
        last edited by

        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

        He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.

        Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.

        SendFile would be web-based. Your favorite!

        So?

        So there is no need for local download.

        If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.

        I live by this.

        Yup, if no one wants to see you naked, don't take the pictures!

        Is that what you meant?

        Well, there was 1 person who liked seeing me naked....

        Just in general. If it's not documented, it can't be "found".

        1 Reply Last reply Reply Quote 0
        • brad_altnB
          brad_altn Vendor
          last edited by

          I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.

          BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 1
          • BRRABillB
            BRRABill @brad_altn
            last edited by

            @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:

            I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.

            So how would you use that setting to accomplish what we want?

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @brad_altn
              last edited by

              @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:

              I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.

              Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.

              brad_altnB BRRABillB 2 Replies Last reply Reply Quote 0
              • brad_altnB
                brad_altn Vendor @scottalanmiller
                last edited by

                @scottalanmiller Not yet, but I believe this functionality may be in the works for a later release.

                1 Reply Last reply Reply Quote 1
                • BRRABillB
                  BRRABill @scottalanmiller
                  last edited by BRRABill

                  @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                  I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.

                  Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.

                  This is what was replied to me on the MD forum...

                  *Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?

                  Unless you are using a gateway or DomainPOP to retrieve incoming mail from non-local senders anything you do to try and prevent your own users from sending without encryption will affect incoming mail as well. And there's not a way to force servers not under your control to use encryption if they are not configured to use it.

                  Here are a couple of suggestions, but without knowing more about your environment, I can't say that it will work for you.

                  1. If all of your own users are going to be sending and receiving from the local network (on site, versus someone working from home or a hotel or a coffee shop out in the world), you could enable SSL, STARTTLS, and STLS under Security | Security Settings | SSL & TLS, and enabled the dedicated ports option as well. Then your users would all have to configure their mail clients to use the dedicated ports. Then you can block the non-SSL ports on your internal network, and only allow connections from outside your network to the MDaemon server.

                  2. If you're in a position where you can say "If you don't use encryption, I don't want mail send from your server" you could try setting a wildcard entry in the STARTTLS Required List under Security | Security Settings | SSL & TLS. For IPv4 it's ...
                    I'm not certain what the wildcard for all IPv6 addresses would be, and I don't have a test environment using it set up at the moment. If you need that, let me know and I will look into it for you. I don't really recommend this option at this time, it's likely to cause you headaches.

                  If you don't want to force all non-local incoming mail to use encryption, and you have users who connect to your server from outside your network, trying to force them to use encryption while letting non-local servers still connect without is difficult, and ends up being more a matter of user education & company policy than being technology based,

                  If you can share more about what your environment is like I might be able to give more suggestions.*

                  JaredBuschJ 1 Reply Last reply Reply Quote 1
                  • brad_altnB
                    brad_altn Vendor
                    last edited by brad_altn

                    As mentioned in Item 2 of your last post, I was also going to mention using wildcard entries on the STARTTLS Required List. I would recommend testing this first, however, and review your MDaemon logs to ensure that the connection is using TLS.

                    1 Reply Last reply Reply Quote 1
                    • DashrenderD
                      Dashrender
                      last edited by

                      Interesting - why would both incoming and outgoing be affected at the same time? Is that by design?

                      With, say Exchange, I can setup the inbound SMTP to be opportunistically TLS, but fail to no security, but on sending outbound email to require TLS, otherwise fail and do not send the email.

                      The belief/understanding is that HIPAA only requires you to secure what you are sending others, not what others are sending you. So to cover your side of HIPAA you (us) only care about how you send data to others, hence the restriction to only sending outbound over TLS.

                      BRRABillB 1 Reply Last reply Reply Quote 1
                      • BRRABillB
                        BRRABill @Dashrender
                        last edited by

                        @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                        Interesting - why would both incoming and outgoing be affected at the same time? Is that by design?

                        With, say Exchange, I can setup the inbound SMTP to be opportunistically TLS, but fail to no security, but on sending outbound email to require TLS, otherwise fail and do not send the email.

                        The belief/understanding is that HIPAA only requires you to secure what you are sending others, not what others are sending you. So to cover your side of HIPAA you (us) only care about how you send data to others, hence the restriction to only sending outbound over TLS.

                        @brad_altn

                        This is the root of what we are trying to get at.

                        1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @BRRABill
                          last edited by

                          @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                          *Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?

                          Whoever posted this is horribly confused. They are talking about inbound mail.

                          Now maybe your post there was not clear?

                          scottalanmillerS BRRABillB 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @JaredBusch
                            last edited by

                            @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                            @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                            *Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?

                            Whoever posted this is horribly confused. They are talking about inbound mail.

                            Now maybe your post there was not clear?

                            Users on the same system doing use SMTP 🙂 There is nothing to encrypt. I'm going with someone being confused.

                            1 Reply Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @JaredBusch
                              last edited by

                              @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                              @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                              *Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?

                              Whoever posted this is horribly confused. They are talking about inbound mail.

                              Now maybe your post there was not clear?

                              I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.

                              I asked about encrypting all incoming and outgoing mail. So as usual I can see how someone might be able to misinterpret.

                              scottalanmillerS 1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @BRRABill
                                last edited by

                                @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

                                I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.

                                That's confusing because it isn't email at that point but is just an internal application API. If it is Outlook, for example, it talks directly with Exchange as a client manipulating stuff on Exchange. If it is OWA, it's Exchange that you are looking at directly (the "email" is still on Exchange.)

                                1 Reply Last reply Reply Quote 0
                                • 1
                                • 2
                                • 3
                                • 4
                                • 5
                                • 5 / 5
                                • First post
                                  Last post