Re: [mailop] Google rejects a TLS connection saying it needs TLS...
On Thu, Mar 16, 2017, at 07:37, Paul Smith wrote: > On 16/03/2017 14:18, Kevin Huxham wrote: >> they probably sell fax machines. > > Their response is a bit like someone sending them credit card details > on a postcard, and them tearing it up (because you shouldn't send > confidential information on postcards) and asking the sender to send > the details again, but put them in an envelope next time. > > It's totally ignoring the fact that it's too late by then... (and the > fact that the envelope will be opened by the mail boy (Google in this > case) so the confidential information will still be visible by > unspecified eyes after arrival). > While all of that may be true, it's still worth doing because it will encourage better behaviour in the future. You can make a rule against sending credit cards by email, but if customer service reps know it works they might still encourage a customer to do it as it's faster and easier than other options (fax, mail) and when Something Bad Happens, the customer will rightly blame the company. By enforcing rules at a technical level you won't stop someone creative from sending a credit card number, even if they have to go Craigslist Style ("this 4000 is my credit card"), but it will slow people down and make doing it properly suddenly seem more attractive. It's an imperfect world. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Google rejects a TLS connection saying it needs TLS...
So, yes, requiring TLS after the message was already sent in plaintext is less perfect than the alternative, it does have the benefit of informing and usually getting things fixed. Ie, if you assume that it corrects future failures, than its still useful. It's also a fallback, you can enforce certain senders are encrypted before they send content, but if you also enforce it for say content containing SSN or CC numbers, it'll inform and find other bad senders. Still no clue what this particular policy is, though. Brandon On Mar 16, 2017 7:44 AM, "Paul Smith"wrote: > On 16/03/2017 14:18, Kevin Huxham wrote: > > they probably sell fax machines. > > > Their response is a bit like someone sending them credit card details on a > postcard, and them tearing it up (because you shouldn't send confidential > information on postcards) and asking the sender to send the details again, > but put them in an envelope next time. > > It's totally ignoring the fact that it's too late by then... (and the fact > that the envelope will be opened by the mail boy (Google in this case) so > the confidential information will still be visible by unspecified eyes > after arrival). > > > > -K > > On Thu, Mar 16, 2017 at 1:50 AM, Brandon Long via mailop < > mailop@mailop.org> wrote: > >> That's a custom rejection message set by that GSuite customer, no clue >> what policy they set. >> >> Brandon >> >> On Mar 15, 2017 9:35 PM, "Seth Mattinen" wrote: >> >>> Here's one I'm hoping someone can tell me I'm missing something obvious: >>> Google is rejecting a TLS connection with an error saying to use TLS, but >>> the connection is indeed using TLS. >>> >>> >>> 2017-03-15T21:03:15.960985-07:00 smtpauth postfix/smtp[14716]: Trusted >>> TLS connection established to aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25: >>> TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >>> >>> 2017-03-15T21:03:17.241821-07:00 smtpauth postfix/smtp[14716]: >>> E6AB62800049: to= , >>> relay=aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25, >>> delay=5.3, delays=3.1/0/0.93/1.2, dsn=5.7.1, status=bounced (host >>> aspmx.l.google.com[2607:f8b0:400e:c06::1a] said: 550-5.7.1 Your email >>> has been rejected because it violates X X 550-5.7.1 security policy. >>> Potential sensitive data was found in the email 550-5.7.1 and/or attachment >>> and your email server does not support TLS 550-5.7.1 encryption. Please use >>> and alternate method of delivery such as fax 550 5.7.1 or a different email >>> provider that supports TLS. - gcdp X.124 - gsmtp (in reply to end of DATA >>> command)) >>> >>> >>> What am I missing other than the suggested fax? >>> >>> ~Seth >>> >>> ___ >>> mailop mailing list >>> mailop@mailop.org >>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >>> >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >> >> > > > ___ > mailop mailing > listmailop@mailop.orghttps://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Google rejects a TLS connection saying it needs TLS...
On Thu, 2017-03-16 at 10:18 -0400, Kevin Huxham wrote: > they probably sell fax machines. Reminds me of a case many years ago when a client who ran courses on data protection emailed (yes, emailed) all their credit card details to the billing dept. because they weren't near a browser to pay online! And those courses were not cheap. Hard cases make bad law but you'll always find somebody trying to fix the world, one policy at a time. Ken. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Google rejects a TLS connection saying it needs TLS...
they probably sell fax machines. -K On Thu, Mar 16, 2017 at 1:50 AM, Brandon Long via mailopwrote: > That's a custom rejection message set by that GSuite customer, no clue > what policy they set. > > Brandon > > On Mar 15, 2017 9:35 PM, "Seth Mattinen" wrote: > >> Here's one I'm hoping someone can tell me I'm missing something obvious: >> Google is rejecting a TLS connection with an error saying to use TLS, but >> the connection is indeed using TLS. >> >> >> 2017-03-15T21:03:15.960985-07:00 smtpauth postfix/smtp[14716]: Trusted >> TLS connection established to aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25: >> TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >> >> 2017-03-15T21:03:17.241821-07:00 smtpauth postfix/smtp[14716]: >> E6AB62800049: to= , >> relay=aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25, >> delay=5.3, delays=3.1/0/0.93/1.2, dsn=5.7.1, status=bounced (host >> aspmx.l.google.com[2607:f8b0:400e:c06::1a] said: 550-5.7.1 Your email >> has been rejected because it violates X X 550-5.7.1 security policy. >> Potential sensitive data was found in the email 550-5.7.1 and/or attachment >> and your email server does not support TLS 550-5.7.1 encryption. Please use >> and alternate method of delivery such as fax 550 5.7.1 or a different email >> provider that supports TLS. - gcdp X.124 - gsmtp (in reply to end of DATA >> command)) >> >> >> What am I missing other than the suggested fax? >> >> ~Seth >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >> > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Google rejects a TLS connection saying it needs TLS...
That's a custom rejection message set by that GSuite customer, no clue what policy they set. Brandon On Mar 15, 2017 9:35 PM, "Seth Mattinen"wrote: > Here's one I'm hoping someone can tell me I'm missing something obvious: > Google is rejecting a TLS connection with an error saying to use TLS, but > the connection is indeed using TLS. > > > 2017-03-15T21:03:15.960985-07:00 smtpauth postfix/smtp[14716]: Trusted > TLS connection established to aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25: > TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > > 2017-03-15T21:03:17.241821-07:00 smtpauth postfix/smtp[14716]: > E6AB62800049: to= , > relay=aspmx.l.google.com[2607:f8b0:400e:c06::1a]:25, > delay=5.3, delays=3.1/0/0.93/1.2, dsn=5.7.1, status=bounced (host > aspmx.l.google.com[2607:f8b0:400e:c06::1a] said: 550-5.7.1 Your email has > been rejected because it violates X X 550-5.7.1 security policy. Potential > sensitive data was found in the email 550-5.7.1 and/or attachment and your > email server does not support TLS 550-5.7.1 encryption. Please use and > alternate method of delivery such as fax 550 5.7.1 or a different email > provider that supports TLS. - gcdp X.124 - gsmtp (in reply to end of DATA > command)) > > > What am I missing other than the suggested fax? > > ~Seth > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop