How to Require TLS for Outbound SMTP Connections with MDaemon
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@travisdh1 said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
He's not even worried about that - he's worried about his nuke selfies getting in the hands of hackers when they hack O365 because he emailed his nude selfies to his wife.
Which they will get if you used SendFile or email, because they will be saved to someone's desktop in either case.
SendFile would be web-based. Your favorite!
So?
So there is no need for local download.
If there is no need for anyone to see it, why send it at all? The most secure file is one that never existed in the first place.
I live by this.
Yup, if no one wants to see you naked, don't take the pictures!
Is that what you meant?
Well, there was 1 person who liked seeing me naked....
Just in general. If it's not documented, it can't be "found".
-
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
So how would you use that setting to accomplish what we want?
-
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.
-
@scottalanmiller Not yet, but I believe this functionality may be in the works for a later release.
-
@scottalanmiller said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@brad_altn said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I don't know why I didn't think of this right away. Must not have had my morning coffee yet, but MDaemon has a feature that allows you to specify which hosts or IPs require the use of STARTTLS. It's located under Security | Security Settings | SSL & TLS | STARTTLS Required List.
Cool, is there a way to specify "all"? Being able to list some is definitely a good start, though.
This is what was replied to me on the MD forum...
*Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?
Unless you are using a gateway or DomainPOP to retrieve incoming mail from non-local senders anything you do to try and prevent your own users from sending without encryption will affect incoming mail as well. And there's not a way to force servers not under your control to use encryption if they are not configured to use it.
Here are a couple of suggestions, but without knowing more about your environment, I can't say that it will work for you.
-
If all of your own users are going to be sending and receiving from the local network (on site, versus someone working from home or a hotel or a coffee shop out in the world), you could enable SSL, STARTTLS, and STLS under Security | Security Settings | SSL & TLS, and enabled the dedicated ports option as well. Then your users would all have to configure their mail clients to use the dedicated ports. Then you can block the non-SSL ports on your internal network, and only allow connections from outside your network to the MDaemon server.
-
If you're in a position where you can say "If you don't use encryption, I don't want mail send from your server" you could try setting a wildcard entry in the STARTTLS Required List under Security | Security Settings | SSL & TLS. For IPv4 it's ...
I'm not certain what the wildcard for all IPv6 addresses would be, and I don't have a test environment using it set up at the moment. If you need that, let me know and I will look into it for you. I don't really recommend this option at this time, it's likely to cause you headaches.
If you don't want to force all non-local incoming mail to use encryption, and you have users who connect to your server from outside your network, trying to force them to use encryption while letting non-local servers still connect without is difficult, and ends up being more a matter of user education & company policy than being technology based,
If you can share more about what your environment is like I might be able to give more suggestions.*
-
-
As mentioned in Item 2 of your last post, I was also going to mention using wildcard entries on the STARTTLS Required List. I would recommend testing this first, however, and review your MDaemon logs to ensure that the connection is using TLS.
-
Interesting - why would both incoming and outgoing be affected at the same time? Is that by design?
With, say Exchange, I can setup the inbound SMTP to be opportunistically TLS, but fail to no security, but on sending outbound email to require TLS, otherwise fail and do not send the email.
The belief/understanding is that HIPAA only requires you to secure what you are sending others, not what others are sending you. So to cover your side of HIPAA you (us) only care about how you send data to others, hence the restriction to only sending outbound over TLS.
-
@Dashrender said in How to Require TLS for Outbound SMTP Connections with MDaemon:
Interesting - why would both incoming and outgoing be affected at the same time? Is that by design?
With, say Exchange, I can setup the inbound SMTP to be opportunistically TLS, but fail to no security, but on sending outbound email to require TLS, otherwise fail and do not send the email.
The belief/understanding is that HIPAA only requires you to secure what you are sending others, not what others are sending you. So to cover your side of HIPAA you (us) only care about how you send data to others, hence the restriction to only sending outbound over TLS.
This is the root of what we are trying to get at.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
*Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?
Whoever posted this is horribly confused. They are talking about inbound mail.
Now maybe your post there was not clear?
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
*Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?
Whoever posted this is horribly confused. They are talking about inbound mail.
Now maybe your post there was not clear?
Users on the same system doing use SMTP There is nothing to encrypt. I'm going with someone being confused.
-
@JaredBusch said in How to Require TLS for Outbound SMTP Connections with MDaemon:
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
*Are you wanting this for your own users only, or for your own users plus all mail coming into your server from non-local senders?
Whoever posted this is horribly confused. They are talking about inbound mail.
Now maybe your post there was not clear?
I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.
I asked about encrypting all incoming and outgoing mail. So as usual I can see how someone might be able to misinterpret.
-
@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:
I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.
That's confusing because it isn't email at that point but is just an internal application API. If it is Outlook, for example, it talks directly with Exchange as a client manipulating stuff on Exchange. If it is OWA, it's Exchange that you are looking at directly (the "email" is still on Exchange.)