Mail Encryption: One-Way / Clientless ( SPX )
A system whereby customers can encrypt messages with the recipient having no in-place method to decrypt them, such as is currently possible with Smime/pgp setups.. Allows encryption to satisfy needs of many companies that do not havfe setup relationships with key exchanges and such, like Health Care, Government, Education etc... it should be very easy to use.
We tentatively plan to include this in our UTM 9.2 release later in 2013.
Are there any news about this feature? This is one of the most missing features, we've got. Are there any release plans for 9.2?
Maybe it can be done like this:
1. Astaro checks if the public key already exists in the local database
3. If not, Astaro send only an unencrypted notification email out, which includes a link to the user portal. (Password by SMS for example)
4. In the user portal, two option
Option 1: Use a Web Frontend (similar to Hotmail, Gmail, etc.) to view and reply
Option 2: The Astaro creats a S/MIME or PGP Key and the User can download it and install it on his local computer. After the Astaro send the encrypted email out.
Jürgen Roth commented
We have to establish a secure mail transport to a large company.
Because every company has its own implementation, it's currently not possible to establish this! What we need is at minimum one of the following:
* A domain wide PGP Key for the internal domain.
* A domain wide PGP Key for the external Domain and a policy to use this key for all recipients in this domain (we got a public key for “email@example.com”).
* A policy to make STARTTLS mandatory for a domain.
* A check if the hostname of the mail exchanger is the same as the CN of the certificate.
* A way to modify the recipients address: e.g. change “USERNAME” firstname.lastname@example.org to email@example.com <firstname.lastname@example.org> (use the users email address as real name and change the email address to a gateways email address)
It would be gratefully if there will be more flexibility in the email encryption with flexibility of regex in policies and also to modify email addresses.
An automated email to the admin for certificates that are at the end of life would also be gratefully!
Sascha Paris commented
This could for example be done via HTTPS portal where customer has to register to view/download encrypted document or to send encrypted PDFs. However, it should work with "standard" equipment on a daily use PC without the need to install additional Software. This would be really helpful to acceptance of mail encryption.
Djigzo i.e. can send PDF with encryption (password) and send password via SMS. You could do the same with ZIP i.e.
Hagen von Eitzen commented
Isn't at last server-to-server encryption (TLS) already available?
Although I agree that a domain-wide key would be desireable, the consequences would be (if example.com uses astaro with this feature):
- email@example.com can sign (with domain-wide signature) outgoing mail; the local admin has to make sure that nobody can forge a coworkers sender address (this shouldn't be a problem)
- anybody@anywhere can encrypt mail to firstname.lastname@example.org with domain-wide encryption; they have to be aware, though, that e.g. secretaries with access to the recipients mailbox can read the mail (sometimes this is a bug, sometimes a feature)
However, any mail in the opposite direction still requires a key exchange as usual, though this is no problem for replys to incoming (signed) mails.
Something we are interested in yes. This is the same request as http://feature.astaro.com/pages/17359-astaro-gateway-feature-requests/suggestions/178379-mail-encryption-one-way-clientless. In the future, we'll merge ideas together once this system launches that ability.
Yes and on the encryption session you will need to do man-in-the-middle in able to accomplish other products do this astaro ofcourse
Bob Alfson commented
Sorry, I don't understand. What good is encryption if the recipient doesn't need special tools?
Syed Fiyaz commented
Yes, most of the competitive products does this. . . why not astaro?
I hope I got the point right: Would this be support for PGP/Inline (or PGP/Classic)?