NHS email encryption

[Dave Howe]

Adrian Midgley wrote:
> Is it possible to document that (I mean further than just saying it - I
> believe you of course)?

I will check when I am back at work next week - we "resolved" the 
problem by forcing use of HELO on the systems affected, but could turn 
that off temporarily (or just use puTTY for the exchange :)

> And can I confirm that this would mean that the system being presented
> to doctors and all other NHS workers as providing encrypted ("end to
> end" no less) transmission to collect mail by (webmail and) POP3 and
> IMAP4 over SSL so as to safely carry patient-identifiable information
> between places in the NHS network and places outside it, does not
> provide that encryption when operated as described?

When connected to from outside of the NHS? presumably that is outside of 
their secure zone, so isn't affected either way by any assertions they 
have made regarding nhs-only mail.

I would just route the traffic over N3, but the conditions of usage for 
our N3 link is that it is airgapped from our main network - 
inconvenient, to say the least.

> Or is it possible that there is some secret sauce in Microsoft
> Outlook/Express which causes the server to communicate with it  as
> securely as any Microsoft application and other standard-compliant
> systems for email to be served a degraded performance?  (Why does this
> sound so horribly familiar and plausible?)

I think it is more that they don't want to do TLS to anyone outside of 
their "trusted domain". My understanding is that TLS works fine for 
"internal" users, but they don't know how to turn off the STARTTLS ad 
for ehlo for external users without also disabling it for internal...