I also got this letter and installed StartTLS now. On my mailserver (hMailServer) there is also no PFS option - but I think it's not necessary. They write in the letter that PFS is only necessary if you use SSL/TLS instead of StartTLS.
Would it be possible to post one of these letters here with personal stuff blacked out (or contact me via PM). Would like to see what they write exactly.
Thanks twaldorf for the info. Are you (or others reading this) able to forward me the letter form the Bayerisches Landesamt für Datenschutzaufsicht as pm? Of course anonymized if necessary!
I scanned the letter, but there is no option for attachments in PM.
The link above includes the sentence I talked about "Findet im Rahmen der Nachrichtenübermittlung das Verschlüsselungsprotokoll SSL/TLS Einsatz, so ist zudem das Verschlüsselungsverfahren Perfect Forward Secrecy zum erhöhten Schutz der übermittelten Daten notwendig."
In my opinion this means that PFS ist not necessary as long as you don't use SSL/TLS. But I wrote an email to my contact at Bayerisches Landesamt für Datenschutzaufsicht to have an official affirmation.
8. Welche Konsequenzen drohen, wenn die erforderlichen technischen Maßnahmen nicht umgesetzt werden?
Zur Gewährleistung der Einhaltung des BDSG kann das BayLDA als Aufsichtsbehörde nach § 38 Abs. 5 Satz 1 die Maßnahmen zur Beseitigung festgestellter Verstöße anordnen.
Well, twaldorf, I'm sure your German is better than mine [;)], but I read that document as assuming that StartTLS is included in all of the comments about SSL/TLS.
jlan, does your mail server support PFS? If not, then I don't think turning on your DNAT will satisfy the authorities.
Cheers - Bob PS I'd be interested in learning the politics of this. I suspect that several politicians got large (legal, I'm sure) payments from somewhere. This kind of government overreach occurs all too often.
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
I received a note from the developers' area saying that they are now evaluating whether this feature, planned for 9.3, can be included in a coming release of 9.2.
If you have received a letter from the Bayerisches Landesamt für Datenschutzaufsicht, I suggest that you have your reseller submit a ticket to Sophos Support saying that you need PFS very quickly.
Cheers - Bob PS I posted this first in the German Forum, bit since I know some of you Deutsche seldom go there, I also posted it here. [;)]
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
We have been working hard to push for a sooner release and here's the good news: We plan to release PFS support in UTM 9.207. This will soon already be available as soft-release (next 1-2 weeks...).
