Hi Craig

Thank you very much for your input

For the archives,  we are currently looking at Postfix - even though we would 
very much prefer to stay on OpenSMTPD.

> Den 24. feb. 2020 kl. 14.47 skrev Craig Skinner <skin...@britvault.co.uk>:
> On Sat, 22 Feb 2020 21:25:11 +0100 Søren Aurehøj wrote:
>> ... sending with TLS is mandatory according to our data protection officer, 
>> citing GDPR and the sensitivity of the emails sent.
> Rubbish!


Under other circumstances I would agree.

> If there is a local company policy about data protection (GDPR does not apply 
> outside Europe, and mails may be sent globally), then the email content needs 
> to be (PGP) encrypted in the sender's desktop mail client before it leaves 
> their Windows, Apple, Andriod, Blackberry, etc. device.
These particular mailservers operate in a environment with a very high degree 
of personal identifiable mail. GDPR states personal data regarding health, 
trade union membership, religious, political, philosophical beliefs as personal 
identifiable and prohibited to proces. That is unless "the data subject has 
given explicit consent to the processing of those personal data for one or more 
specified purposes”.

> See the Engimail plugin for Thunderbird. Other MTA's have similar tools.
We do use E2E encryption for a part of our mail, through the Danish national 
“PKI” called NemID.

> TLS relaying of emails fails GDPR because the mail sits in plain text in the 
> receiver's account. Hotmail, Yahoo, etc. sell customer data to businesses & 
> global governments.
No - TLS is only supposed to protect data “in transit” - choosing the mail 
service provider and the location of the mails, is not our responsibility.

> There is no technical Internet requirement for SMTP servers to use TLS.
Again, I agree. We are aware that we risk not being able to reach everyone by 
email, they will instead receive it by snailmail.

> Therefore, the receiver can forward that mail to somebody else, without using 
> TLS, and GDPR is broken.
No, whatever the receiver chooses to do with their own data is not our 

> So your data protection officer fails GDPR by thinking TLS is their saviour.
I do not agree on this one though, we are processing personal identifiable mail 
and as an result of this, we are obliged to protect the data “according to 
industry standard and as good as reasonable possible”. 
The DPO set the bar at using TLS as a minimum, for protecting outgoing mail 
during transit.

> TLS is not salvation for GDPR.
TLS is just a tool - but a good tool.

> Cheers,
> -- 
> Craig Skinner | http://linkd.in/yGqkv7
Kind regards
Søren Aurehøj

Reply via email to