Secure email

Deleted member 77746 · 7 Nov 2020 at 14:10

@jpod

https://docs.microsoft.com/en-us/mi...ge-signing-and-encryption?view=o365-worldwide

Vince said:
It's worth finding out Will make it much easier to point you in the right direction 0365 may not be the easy choice depending on what they ask for.

I certainly would be asking for them to clarify what their recommendations is first.

jpod · 7 Nov 2020 at 14:11

Vince said:
It's worth finding out Will make it much easier to point you in the right direction 0365 may not be the easy choice depending on what they ask for.

I said I was a noob! When I check my email I do it in Chrome. The address is https://outlook.live.com/mail/0/inbox

My email address is me at my domain name which is hosted on Dreamhost.

Does that answer your question? Haha

I am guessing that is webmail? Could be wrong.

Vince · 7 Nov 2020 at 14:12

can you pm me your email address and ill go have a look where your mx records point.

Vince · 7 Nov 2020 at 14:13

jpod said:
I said I was a noob! When I check my email I do it in Chrome. The address is https://outlook.live.com/mail/0/inbox

My email address is me at my domain name which is hosted on Dreamhost.

Does that answer your question? Haha

I am guessing that is webmail? Could be wrong.

That doesnt mean much tbh as you can send emails from your own domain in some sketchy ways via google / microsoft. The MX records will tell us where things go

Deleted member 77746 · 7 Nov 2020 at 14:13

jpod said:
I said I was a noob! When I check my email I do it in Chrome. The address is https://outlook.live.com/mail/0/inbox

My email address is me at my domain name which is hosted on Dreamhost.

Does that answer your question? Haha

I am guessing that is webmail? Could be wrong.

oh in that case it might already be 0365 if Dreamhost do it.

Looks like they are doing hosted.

jpod · 7 Nov 2020 at 14:17

Good point!

I had a look at NHS emails
https://www.england.nhs.uk/primary-care/dentistry/nhsmail-for-the-dental-team/

https://support.nhs.net/

They are using MS 365 too!

Deleted member 77746 · 7 Nov 2020 at 14:19

Drop your email to vince and let him do a check. Soon as he does a MX check you can tell where it goes.

Vince · 7 Nov 2020 at 14:21

your email resolves to Microsofts Hosted Exchange platform aka O365. Now all you need to work out is if you run a hybid i.e. do you have an AD server local?

Your host, like all other hosts, simply rebrand "whitelabel" Microsofts Hosted Exchange Platform. In terms of integration it shouldn't be too hard to link things up. I'll have a little read of the NHS documentation also.

So if you go here:

https://support.nhs.net/knowledge-base/technical-pre-requisite-tasks/

You can see the following chart of pre req's:

To me it looks like they are just enforcing TLS so on O365 you should be good to go, other checks for non o365 seem to be around checking for open relay, split tunnel vpn? not sure why as all that is doing is forcing remote clients out over local for internet based services. Likely this is to protect NHS bandwidth. But pretty much they are enforcing TLS.

It appears to me that once you sign up and you meet requirements from a server and client version in terms of tls that they will then, for 10 mailboxes pre authenticate emails. This TLS is forced on a receive connector option in exchange. After that the pre authenticated mailbox after registration will likely add your email into delivery restrictions in the mailbox itself in exchange that looks like this:

I dont think they will force partners onto their platform just force clients to pre auth via a form and then meet tls requirements.

Deleted member 77746 · 7 Nov 2020 at 14:28

Vince said:
Your host, like all other hosts, simply rebrand "whitelabel" Microsofts Hosted Exchange Platform. In terms of integration it shouldn't be too hard to link things up. I'll have a little read of the NHS documentation also.

Looks like it's NHSMail that they are rolling out. I bet they want you to move over to their platform. Which is fine.

jpod · 7 Nov 2020 at 14:47

Vince said:
your email resolves to Microsofts Hosted Exchange platform aka O365. Now all you need to work out is if you run a hybid i.e. do you have an AD server local?

.......

Your host, like all other hosts, simply rebrand "whitelabel" Microsofts Hosted Exchange Platform. In terms of integration it shouldn't be too hard to link things up. I'll have a little read of the NHS documentation also.

So if you go here:

https://support.nhs.net/knowledge-base/technical-pre-requisite-tasks/

You can see the following chart of pre req's:

To me it looks like they are just enforcing TLS so on O365 you should be good to go, other checks for non o365 seem to be around checking for open relay, split tunnel vpn? not sure why as all that is doing is forcing remote clients out over local for internet based services. Likely this is to protect NHS bandwidth. But pretty much they are enforcing TLS.

Just so I understand this correctly. When you say good to go....does that mean I am already running TLS and my current set up is the equivalent in security?

Or does that mean there is some work to take place - AD server local (I know the tune but not the words here.......) and with that work it will be the equivalent in security and local colleagues should not fear emailing patient info back and forth?

I am sorry to have an utter noob understanding - I am a much better dentist! I may be AFK for a while shortly. Many thanks to all btw.

Vince · 7 Nov 2020 at 14:51

jpod said:
Just so I understand this correctly. When you say good to go....does that mean I am already running TLS and my current set up is the equivalent in security?

Or does that mean there is some work to take place - AD server local (I know the tune but not the words here.......) and with that work it will be the equivalent in security and local colleagues should not fear emailing patient info back and forth?

I am sorry to have an utter noob understanding - I am a much better dentist! I may be AFK for a while shortly. Many thanks to all btw.

I added a bit to my previous post. Really it boils down to (and I cant get to this bit for obvious reasons) sign up to the service, you can then enter 10 email addresses to pre auth against a single address at the nhs side. (there side is already set up and enforces tls via a receive connector, basically that bit you don't need to worry about.) I am pretty sure you will register your addresses and then they will pre authenticate those email addresses against the address provided by them to you. At which point providing your server supports TLS you can simply send an email, if the tls handshake is successful your email will arrive to them.

If you are unsure and wanted to have a chat with somebody to get things clear without all the techie that talking on a forum brings out then i'm happy to post my number for you in dm where you sent me your email and I can explain how all this works in simple terms and what steps you might need to take or to answer questions once you have provided them your emails. Im fairly sure though from reading the documentation that they aren't forcing your platform, but are forcing the level of security needed to communicate with them.

jpod · 7 Nov 2020 at 14:57

Vince said:
I added a bit to my previous post. Really it boils down to (and I cant get to this bit for obvious reasons) sign up to the service, you can then enter 10 email addresses to pre auth against a single address at the nhs side. (there side is already set up and enforces tls via a receive connector, basically that bit you don't need to worry about.) I am pretty sure you will register your addresses and then they will pre authenticate those email addresses against the address provided by them to you. At which point providing your server supports TLS you can simply send an email, if the tls handshake is successful your email will arrive to them.

Final noob question before I give you a break and I get some UV...I assume other non dental folk will be able to email to my regular email address - is that correct?

Vince · 7 Nov 2020 at 14:59

jpod said:
Final noob question before I give you a break and I get some UV...I assume other non dental folk will be able to email to my regular email address - is that correct?

Correct - TLS is deterministic for that very reason

Also - Sorry I keep updating posts, more again above!

edit: It's also worth pointing out that they do say that in terms of routing that changes may need to be made, reading between the lines that will be checking against smtp open relay, there are online checks and I can check your email/server to see if allows open smtp relay, generally this is a no-no when setting up any email system. But unless you correctly route traffic in and out of your firewall it's perfectly possible to be running hybrid 365 while being an open relay (most unlikely in this instance as you would also need an exchange server your end).

jpod · 7 Nov 2020 at 15:07

Vince said:
Correct - TLS is deterministic for that very reason Also - Sorry I keep updating posts, more again above!

Vince thank very much indeed. I will have a read and thank you for your kind offer.

I am grateful to be able to ask advice from you all and it increases my IT-IQ, thank you.

Vince · 7 Nov 2020 at 15:16

jpod said:
Vince thank very much indeed. I will have a read and thank you for your kind offer.

I am grateful to be able to ask advice from you all and it increases my IT-IQ, thank you.

NP and good luck I am glad for you that it's just TLS And not S/MIME as S/MIME requires quite a lot of fairly complex setup. Where as the receiving server forcing TLS is trivial in all honestly so long as you meet platform requirements.