Re: [exim] for europeans only: EU GDPR and mitigation of C…

Top Page

Reply to this message
Author: Sebastian Nielsen
To: 'Cyborg', 'Cyborg via Exim-users'
Subject: Re: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
No thats not entirely true that you need to disable cleartext transmission.
You must however according to GDPR support encrypted transmission if you operate a business where personal details more sensitive than a name + email adress MAY arrive, but you do not need to reject cleartext transmission unless theres a risk of receiving information that is prohibited over email alltogether.

You should however support TLS (you do not need to limit it to TLS 1.2+ however, TLS 1.0/TLS 1.1 is perfectly fine if you need to support legacy servers), AND also negotiate the strongest ciphers available.

Its the same as you don't need to disable the HTTP port on web servers, but you should provide the most secure means available during negotiation by redirecting the user.
I would also recommend running SMTP-STS if that available, but its not a strict requirement.

It depends entirely on which business you operate. GDPR says that you must use the method of securing personal data in transit that is "resonable". "resonable" is judged both of what securing methods that are available, but also on the type of personal details you are intended to transmit, and the cost of implementing the securing methods.

Many "GDPR experts" think you now as a sole proprietor need to outsource your email server and "no longer allowed to run a email server from the wardrobe" because of GDPR requiring physical security, but thats not true, its depends on amount of personal details you process, and the sensitiveness of those.

Note that Lets encrypt isn't open for everyone - theres a fair amount of blacklisted domains and TLDs that cannot be used for Lets Encrypt (either due to the registry not abiding to CAB policies, or due to a blacklisted word being too similiar to a so called "high risk organization"). That does not mean that you as a sole proprietor needs to cough up for a real certificate - which you would have to be able to run SSL/TLS if you are blacklisted at Lets Encrypt.

In other words:
If you operate a small business which does mainly do B2B, then you don't need any protection at all on contact forms and email servers. Names and email adresses are considered low-risk details, same with IP adresses.
If you operate a webshop for example, then you should have SSL on both website and email - you may receive emails containing order Ids and/or delivery adresses, which are medium-risk details.
If you operate a healthcare facility for example, then you must disable cleartext transmission as there is a very high risk that medical information is sent that way even if not intended. You can however gate this by RCPT TO, so only emails that are targeted at healthcare professionals and such need to be encrypted, but not a email to the accountant or the cleaner personell or other non-medical personell.

Running SMTP-STS is a good way to mitigate any risk for MITM tampering with communications to degrade it to unencrypted, but GDPR doesn't focus on MITM, but they focus more on passive listening.

Since gaining root access to email server means all emails are immidiately compromised, its OK to mitigate or disable SSL/TLS until a fix is released. You do NOT need to inform customers or people of this, because the action is temporary, and is aimed to disable a exploit. Unless you run a healthcare facility - then its more safe to disable the email server alltogether.
Note that a sniffed email is ONE compromised email. A whole email server is lots of compromised emails.