Am 02.06.25 um 11:27 schrieb Niels Dettenbach via Exim-users:
True, the words TLS 1.2 are not mentioned in it, because any country has a dp agency, that can define it itself or redirect it to other agencies. In case of germany, the dp agencies of states and federal have a comission, and that gives out statements how to interpret the rules for certain aspects that have risen questions. I know this, because i gave that commision and the federal dp agency the stats for tls usage of our cluster as reference in 2018, bebause this exact question had been risen by myself.may be, but:- that the GDPR "enforce" TLS 1.2+ as "state of the art" (and no other mechanism / setup) is your / just one interpretation of "state of the art".
The answere was: a) You have to encrypt everythingb) it has to be secure, and the bsi specs for safty have been used as references.
Because A) impacted all eu countries and companies, the eu dp commsion that created the grdp was contacted by the german federal dp agency to make a eu wide statement about the usage of TLS on email transport. In 2022 the german dp comission finally handed out a paper (in german) for all german based companies to follow, which makes absolute clear that you have to encrypt, not accept unencrypted mails other than technical mails, and use TLS 1.2+ protocols.
What i don't know is, how other eu countries handled that result in detail, but i think it is safe to assume, that after 5 years of debating, they all will have the same ruleset.
- This does NOT affect personal users, as the EU has/claims force on organisations only
The GDPR is just for organisations of any kind, true, but of course thats affecting private persons too:
There is no way to know who and what is send, before its send. This makes sending unencrypted traffic to organisations impossible, if the organisation complies to the law, no matter if the sending private person does not need to care for protection and wants send unencrypted messages. So, if a private person, does not only want to communicate with other private persons in 1980 style, they need to have mailservers with at least opportunistic tls 1.2+ enabled, otherwise mails won't reach the receiver.
Of course: only if anyone complies to the law, which is not 100% ensured due to lazy- and carelessness on all sides.
Noone said the EU is King of the World, but the same premise applies here as for private individuals. Configuring your eu company mailserver for deciding if the mail is from inside or outside of the eu, would not even help, because the gdrp does not decide between eu and none-eu personal data. If it reaches the eu realm, it needs to be protected. Let's put aside for a moment, that this raises some interessting practical problems.- EU is not "the world" and no one outside of the EU can be forced by the EU how to use email (while gepgraphy does not really exist in the internet).
- EU has no real defined force to establish "laws" as it is not a national entity - until today it is not clearified, if the EU has the right / force to establish laws breaking national law or constitutions (there are different interpretations in different EU-countries). https://eur-lex.europa.eu/DE/legal-content/glossary/primacy-of-eu-law-precedence-supremacy.html
Did you read it?It's clearly says, that for sections where eu countries have given up their national sovereignty, the eu laws have the upper hand.
Because of the uncertainy in some cases, eu rules have to be converted into national law, unlike in the gdpr case, where they took all aspects of the eu law and put them into national laws, where the national laws can enhance some named rules and aspects as the nation needs or likes it, but the ground rules of the gdpr are set eu wide. That's one reason why the german BDSG-Neu from 2018 is a little bit longer than the eu version ;)
This whole GDPR crap in the sum is nothing helping ppl - it is a tool primarily creating new buerocracy and - not at least - insecurity to organisations as even personal users.
In 2018 I helped some companies to keep up with the "new" dp rules and in the end, it's not as hard for most small to middle organisations to make it work. small buisnesses (like car shops, house builders etc, tend to think it's hard, but in the end it's 2-3 hours of analyzing, defining and filling out the forms because they are not processing and analysing personal data to an extend for which the gdpr was made. Corps that analyse and track data and make database decision building, yes, they have a lot more work to do, what was one intend to create the gdpr in the first place, to regulate the data market.
The GDPR allows endless interpretations in many ways - et the end it is not possible to fullfill 100% the GDPR in any of its interpretations out, producing process insecurities for the organisations.
That's in general true for any law set, i.e. it's impossible to build a building in germany 100% compliant to any law, because of too many laws telling you to do the opposite. The GDPR on the other hand, is quite easy to follow and implement, if your not a data broker ;)
"expecting" is not "getting it" .. T-Online Germany was the last major player in german mailservices to tell the world "We use encryption for mails now" ... in 2014 when all others had that running for 10+ years :DIf ppl expect security "state of the art" i.e. from their providers, they can and will contract that and they can decide - except for public / gov entities - if
some kind of broken email storage / archive in the future.At least from my experience, most compromitized emails came from such sources and not from sniffed internet networks.
Yeap, in 2024, IMHO, someone hacked into the common business mailcenter in frankfurt, which is used by parts of the german bank system ( NOT THE german bank, ok) and exfiltrated important client emails with attachments from theire exchange servers. So, yes it's more likely to break into the server, rather to MITM passwords out of buisness dsl connections. But that makes connection sniffing not less vulnerable or not a target. Using secure TLS is so easy, there is no reason to not do it. And thats my whole point in this discussion: stop using unencrpyted connections and insecure tls versions. I gave out the tools, just implement it.
It was quick, because exim has a very good log format and the information was good enough(may not be true for oob logs) to decide spam or not spam ;)"a quick scan" should not be the foundation of a reliable decision.
(hey, two exim glorifications in one week \o/ ) best regards, Cyborg
OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
