Am Sonntag, 1. Juni 2025, 21:41:27 UTC+00:00:01 schrieb Cyborg via Exim-users: > For the EU, as a company or organization of any form, you have to > enforce tls 1.2+ (§32 gdpr -> state of the art and has no costs), > because it's impossible to know before hand, if someone is sending you > personal data or not and the law says, that the transport of personal > data has to be protected. This makes unencrypted traffic only possible > for technical data. But, it's more effort to exclude some servers/mail > addresses from the tls enforcement, than actually enabling tls at the > sender.
may be, but: - that the GDPR "enforce" TLS 1.2+ as "state of the art" (and no other mechanism / setup) is your / just one interpretation of "state of the art". - This does NOT affect personal users, as the EU has/claims force on organisations only - EU is not "the world" and no one outside of the EU can be forced by the EU how to use email (while gepgraphy does not really exist in the internet). - EU has no real defined force to establish "laws" as it is not a national entity - until today it is not clearified, if the EU has the right / force to establish laws breaking national law or constitutions (there are different interpretations in different EU-countries). https://eur-lex.europa.eu/DE/legal-content/glossary/primacy-of-eu-law-precedence-supremacy.html This whole GDPR crap in the sum is nothing helping ppl - it is a tool primarily creating new buerocracy and - not at least - insecurity to organisations as even personal users. The GDPR allows endless interpretations in many ways - et the end it is not possible to fullfill 100% the GDPR in any of its interpretations out, producing process insecurities for the organisations. If ppl expect security "state of the art" i.e. from their providers, they can and will contract that and they can decide - except for public / gov entities - if and who they send which data an which way (and even per which minimum TLS/SSL versions per which cryptoalgos if that is important to them) or not. not at least: If you send some email to a third party, you must expect that the email content can fall into illegal hands in the future just by the fact of the high chance of some kind of broken email storage / archive in the future.At least from my experience, most compromitized emails came from such sources and not from sniffed internet networks. > A quick scan on our cluster shows only spam as source for unencrpyted > mails. There is simply no sense in accepting unencrypted mails anymore. "a quick scan" should not be the foundation of a reliable decision. just an example: https://techcommunity.microsoft.com/discussions/microsoft-365/mail-without-tls/324540 And there are i.e. hotel internet access networks where any email is proxied for "security" or even local legal reasons while encrypted connections are blocked (i remind some major US hotel chains doing this to their customers at least in some foreign countries). just my .02€ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
