Re: Secure email server setup

To: debian-user@lists.debian.org
Subject: Re: Secure email server setup
From: Brian <ad44@cityscape.co.uk>
Date: Mon, 15 Jan 2018 20:01:48 +0000
Message-id: <[🔎] 15012018192946.78742c1fe1ac@desktop.copernicus.org.uk>
In-reply-to: <[🔎] 201801151351.30097.rhkramer@gmail.com>
References: <1095843975.2894134.1515944200198.ref@mail.yahoo.com> <[🔎] 201801151023.54713.rhkramer@gmail.com> <[🔎] f280e8aa-fbf0-29c6-1831-112edb7bc313@tana.it> <[🔎] 201801151351.30097.rhkramer@gmail.com>

On Mon 15 Jan 2018 at 13:51:30 -0500, rhkramer@gmail.com wrote:

> On Monday, January 15, 2018 12:53:20 PM Alessandro Vesely wrote:
> > On Mon 15/Jan/2018 16:23:54 +0100 rhkramer wrote:
> > > On Monday, January 15, 2018 04:39:17 AM Alessandro Vesely wrote:
> > >> Since most email messages are sent in cleartext, it is also worth to
> > >> note explicitly the difference in terms of privacy between receiving
> > >> and collecting.
> > > 
> > > I don't understand, can you (or someone) attempt to clarify / amplify?
> > 
> > Personal (non-list) email messages happen to contain confidential
> > information, from innocent shopping preferences to passwords.  Although it
> > is possible to use end-to-end encryption to safeguard confidentiality, the
> > vast majority of messages are sent in cleartext.  A good percentage[*] of
> > SMTP servers apply transport encryption (STARTTLS), so the chances that a
> > message is read in transit are low.  However, the chances that MX servers
> > can read cleartext messages is 100%, which hence is the rate of trust
> > users have to grant to their mailbox providers.  The amount of info that
> > can be extracted is directly proportional to their AI skills, while what
> > they do with it only depends on how much greedy they are.
> > 
> > Given this state of affairs, the absence of a clean method for setting up
> > an email server is particularly obnoxious, IMHO.
> 
> Thanks very much--that helps a lot, but due to my ignorance of email systems, 
> let me ask a followup:
> 
> Does the SMTP server encrypt both between it and the "client" and between it 
> and the other end destination / source?  

Use of TLS is explained here:

https://www.gov.uk/government/publications/email-security-standards/transport-layer-security-tls

Note "...in transit between computers..."

> (My understanding of SMTP may be faulty, but, AIUI, if your ISP is your SMTP 
> server, email is stored there (unless deleted) (so that you can access it from 
> more than one of your computers.  Is it the transmittal between that server 

Your ISP is not *your* smtp server. You do not have an smtp server. You
have a collection facility from your ISP.

> and your computer(s) that is encrypted, or between that server and the source 
> / destination of the email, or both?

The second. The mail is encrypted by the sender and transmitted to the
receiver. You are not the receiver. All you do is collect it from the
receiver. While the receiver has it, anyone with access to their systems
can read it. I think this is the point Alessandro Vesely was making.
Greg Wooledge's point is a different one because it depends (partly) on
TLS not being used.

Analogy: you give a letter to a trusted friend with instructions to
deliver it directly to A, the intended recipient. 

You give a letter to a trusted friend with instructions to deliver it
directly to B, a convenient drop-off point for mail. A *collects* it
from B.

Both methods work. Which one is the more secure?

(Points are available for the correct answer :) ).

-- 
Brian.


>

Reply to:

References:
- Re: Secure email server setup
  - From: rhkramer@gmail.com
- Re: Secure email server setup
  - From: Alessandro Vesely <vesely@tana.it>
- Re: Secure email server setup
  - From: rhkramer@gmail.com

Prev by Date: Re: Acrobat Reader stops works
Next by Date: Re: Acrobat Reader stops works
Previous by thread: Re: Secure email server setup
Next by thread: Re: Secure email server setup
Index(es):
- Date
- Thread