Mail Encryption: One-Way / Clientless ( SPX )
A system whereby customers can encrypt messages with the recipient having no in-place method to decrypt them, such as is currently possible with Smime/pgp setups.. Allows encryption to satisfy needs of many companies that do not havfe setup relationships with key exchanges and such, like Health Care, Government, Education etc... it should be very easy to use.
We tentatively plan to include this in our UTM 9.2 release later in 2013.
Jürgen Roth commented
We have to establish a secure mail transport to a large company.
Because every company has its own implementation, it's currently not possible to establish this! What we need is at minimum one of the following:
* A domain wide PGP Key for the internal domain.
* A domain wide PGP Key for the external Domain and a policy to use this key for all recipients in this domain (we got a public key for “firstname.lastname@example.org”).
* A policy to make STARTTLS mandatory for a domain.
* A check if the hostname of the mail exchanger is the same as the CN of the certificate.
* A way to modify the recipients address: e.g. change “USERNAME” email@example.com to firstname.lastname@example.org <email@example.com> (use the users email address as real name and change the email address to a gateways email address)
It would be gratefully if there will be more flexibility in the email encryption with flexibility of regex in policies and also to modify email addresses.
An automated email to the admin for certificates that are at the end of life would also be gratefully!
Sascha Paris commented
This could for example be done via HTTPS portal where customer has to register to view/download encrypted document or to send encrypted PDFs. However, it should work with "standard" equipment on a daily use PC without the need to install additional Software. This would be really helpful to acceptance of mail encryption.
Djigzo i.e. can send PDF with encryption (password) and send password via SMS. You could do the same with ZIP i.e.
Hagen von Eitzen commented
Isn't at last server-to-server encryption (TLS) already available?
Although I agree that a domain-wide key would be desireable, the consequences would be (if example.com uses astaro with this feature):
- firstname.lastname@example.org can sign (with domain-wide signature) outgoing mail; the local admin has to make sure that nobody can forge a coworkers sender address (this shouldn't be a problem)
- anybody@anywhere can encrypt mail to email@example.com with domain-wide encryption; they have to be aware, though, that e.g. secretaries with access to the recipients mailbox can read the mail (sometimes this is a bug, sometimes a feature)
However, any mail in the opposite direction still requires a key exchange as usual, though this is no problem for replys to incoming (signed) mails.
Something we are interested in yes. This is the same request as http://feature.astaro.com/pages/17359-astaro-gateway-feature-requests/suggestions/178379-mail-encryption-one-way-clientless. In the future, we'll merge ideas together once this system launches that ability.
Yes and on the encryption session you will need to do man-in-the-middle in able to accomplish other products do this astaro ofcourse
Bob Alfson commented
Sorry, I don't understand. What good is encryption if the recipient doesn't need special tools?
Syed Fiyaz commented
Yes, most of the competitive products does this. . . why not astaro?
I hope I got the point right: Would this be support for PGP/Inline (or PGP/Classic)?