How to Require TLS for Outbound SMTP Connections with MDaemon
- 
 @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Thanks for getting back. I'd say that this needs to be very high on the wish list as this is considered necessary or, at the very least prudent, for HIPAA compliance and some other security scenarios where using TLS only email is rather often a recommendation. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: Also can you speak to the HIPAA compliant section of your website? It looks to me that MDaemon needs an additional piece of software to be compliant. (Another discussion I was having!) He can't because software is not HIPAA compliant conceptually. It is how it is used. There is no HIPAA requirements strictly for email, so there is no way to certify software in that manner. At a simpler level, consider paper. Is paper HIPAA compliant? No, it's just paper. How you use that paper, store it, destroy it, etc. determines if the use of paper was HIPAA compliant. HIPAA certifies verbs (how things are done) not nouns (things used.) 
- 
 @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon: @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: Also can you speak to the HIPAA compliant section of your website? It looks to me that MDaemon needs an additional piece of software to be compliant. (Another discussion I was having!) He can't because software is not HIPAA compliant conceptually. It is how it is used. There is no HIPAA requirements strictly for email, so there is no way to certify software in that manner. At a simpler level, consider paper. Is paper HIPAA compliant? No, it's just paper. How you use that paper, store it, destroy it, etc. determines if the use of paper was HIPAA compliant. HIPAA certifies verbs (how things are done) not nouns (things used.) Paper CAN be HIPAA compliant. It can also NOT be. @brad_altn The argument here is over this page: 
 http://www.altn.com/email-encryption/I contend that it is saying MD cannot be used in a HIPAA compliant situation without the use of the additional software. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: Paper CAN be HIPAA compliant. It can also NOT be. That was exactly my point. It's the use of the paper, not he paper itself that is or is not compliant. Just like MDaemon. Paper and MDaemon are nouns. You can use either in a compliant or non-compliant way. That's up to you. I can make all traffic from MDaemon encrypted, even if MDaemon doesn't provide this themselves. I can lock it to only talk to known accounts. I can encrypt the data at rest. I can do all kinds of things that take me way above and beyond HIPAA requirements or recommendations. But I can also run it with simple passwords, shared accounts, no encryption anywhere, etc. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: I contend that it is saying MD cannot be used in a HIPAA compliant situation without the use of the additional software. And I pointed out that it says nothing of the sort and it isn't appropriate to look for such a statement as it is conceptually incorrect. They simply pointed out that they can offer you a HIPAA BAA certified service as well. A BAA cannot be applied to a product like paper or an email server and therefore is not applicable. The line item is about a BAA, not about HIPAA, so there is nothing on that page even remotely discussing or suggesting that MDaemon has any limitations on use in a HIPAA environment. This is confusing because you are 1) looking for something that is conceptually incorrect and 2) misreading the statement about there being a service offering a BAA as the other product not being HIPAA capable, which are unrelated concepts. 
- 
 Remember, only services have BAAs. MDaemon is not a service. But someone that runs MDaemon as a service can certainly run it in such a way that they could give you a BAA. But unless they are running it as a service (verb) they can't do that as BAAs because the BAA refers to the verb, not the noun. Otherwise you'd need BAA paper, pencils, etc. 
- 
 @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. 
- 
 @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. yeah what @JaredBusch said  
- 
 @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon: @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. yeah what @JaredBusch said  If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this? 
- 
 @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon: @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. yeah what @JaredBusch said  If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this? Yeah I would like to get involved in re-reading that as well. To be honest, I did not realize email transport encryption was such a prevalent thing. Nor that is was so acceptable as a secure solution. I still think a third part service (like ShareFIle for Healthcare, as we use) is more of an all-around solution. But I can understand if you just want to hand-off an email to a client and wash your hands of it, this could be an option. The paranoid me, though, will still never trust e-mail. I know you're supposed to trust the IT on the other side, but ... eh. 
- 
 @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. Just to be clear, MDaemon offers TLS, it just doesn't offer requiring it. So if someone, like @BRRABill was using MDaemon, and someone with TLS-only from, say, Office 365 contacted them, it would still work (if TLS was enabled), there is just no protection for @BRRABill making outbound emails using MDaemon alone to ensure that anything without TLS will be blocked. Obviously he can fix this with something trivial like a Postfix proxy, but that's an extra complication that should not be needed. 
- 
 @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon: @JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon: @brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon: This is currently not possible, however, this functionality is on our wish list & our developers are aware of it. You can submit feature requests & check the status of existing requests via the Alt-N Idea Engine, located here: http://feedback.altn.com/forums/167172-welcome-to-alt-n-s-idea-engine Wow, to me this is a severe feature failure. We had a large discussion a while back with @Dashrender wanting to get HIPAA compliance on email and whether he needed to use a third party service for secure messages instead of just email. At the end of it, @Dashrender was able to convince his company (medical industry) that simply requiring TLS on all outbound email would not lose them any significant business and was the simplest, most efficient way to gain HIPAA compliance on email. yeah what @JaredBusch said  If you can dig up your old thread, could you post some new information in it? Such as any fallout or issues you have had? Or how much failure you had immediately after enabling this? Yeah, super interested in this. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: I still think a third part service (like ShareFIle for Healthcare, as we use) is more of an all-around solution. In what way? Encrypted email is the most standard, most common, most general case solution. It's super mature and isn't a "service" but a mechanism. All of those things are service that require you to trust a third party vendor, have a BAA, hope that someone else doesn't get compromised, explain to users, explain to customers, learn individually, etc. Encrypted email is standard and transparent. No end user training, no slip ups. It's how security is meant to be - simple, effective and transparent. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: The paranoid me, though, will still never trust e-mail. That's irrational you, not paranoid you. Paranoia would drive you to email as the most secure, most protected of these options. It's the only one that doesn't require you to trust someone else, the only one that lets you instantly hand off responsibility. All the others add risk and complexity that, if you were paranoid, you'd be worried about. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: I know you're supposed to trust the IT on the other side, but ... eh. No, you are not. That's why encrypted email is so good, the moment the connection happens, you have zero need to trust their IT. It's not your problem in any way after that point. You've done your job to the demarcation point and are in the clear. If you use a third party non-email service then and only then must you trust their IT (and it's IT of some random vendor that you likely don't know at all) because they now control your data that you remain responsible for. That's why they have to provide you with a BAA and you have to trust them to stick to it because they are a service acting on your behalf. All of your stated concerns and paranoia would push you to encrypted email as the answer that best suits your desired outcomes. 
- 
 @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon: @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: The paranoid me, though, will still never trust e-mail. That's irrational you, not paranoid you. Paranoia would drive you to email as the most secure, most protected of these options. It's the only one that doesn't require you to trust someone else, the only one that lets you instantly hand off responsibility. All the others add risk and complexity that, if you were paranoid, you'd be worried about. But what if I don't trust the person at the other end? If I care about it, I'm not going to be handing it off. Now, granted, there is also someone to trust at, say, ShareFile. But if I was really concerned I could encrypt the file before storing it there. What's to stop the other side's IT from opening my mail when they weren't supposed to? Or their system not being secure and other users being able to see the e-mail? What's to stop the other side's management from looking at all e-mail sthat come through. Granted, you would hope that people you are exchanging PHI with would not have this issue. But I am talking more about e-mail in general. Yes, these are all user issues, but ones that can be more mitigated with the solution I suggest. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: But what if I don't trust the person at the other end? So what? There is no reason to care. Trust them, don't trust them. Doesn't matter. That's why encrypted email is important. 
- 
 @scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon: @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: I know you're supposed to trust the IT on the other side, but ... eh. No, you are not. That's why encrypted email is so good, the moment the connection happens, you have zero need to trust their IT. It's not your problem in any way after that point. You've done your job to the demarcation point and are in the clear. If you use a third party non-email service then and only then must you trust their IT (and it's IT of some random vendor that you likely don't know at all) because they now control your data that you remain responsible for. That's why they have to provide you with a BAA and you have to trust them to stick to it because they are a service acting on your behalf. All of your stated concerns and paranoia would push you to encrypted email as the answer that best suits your desired outcomes. It's not my problem if I all care about is a CYA to deliver the data securely. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: If I care about it, I'm not going to be handing it off. Now you've moved from IT into "recipient police" and are just off on a reckless personal vendetta. That's not appropriate for IT people to get involved in determining who should and should not be allowed to get PHI based on personal opinion. 
- 
 @BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: Now, granted, there is also someone to trust at, say, ShareFile. But if I was really concerned I could encrypt the file before storing it there. No, there are hundreds of people that you must trust by law are ShareFile. HIPAA makes you responsible to have to trust them. With encrypted email, wanting to trust someone is something you are deciding to care about personally and is not related to HIPAA or business requirements. 



