Jump to content


Option to bypass encryption if TLS used

encryption TLS DLP HIPAA content filter

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 33 posts

Posted 16 August 2017 - 01:11 PM

We would love to see an option to bypass encryption of messages flagged by predefined outbound content filters when TLS connections are used to transmit the message.


Some background:  We turned on the HIPAA Data Leakage Prevention filter for subject and body of messages to ensure secure transmission of messages that might include patient health information (PHI).  (Block/Accept -> Content Filtering, bottom of the page.)  Since we are a hospital, much of our outbound mail contains medical terminology and between that and the street address and phone numbers that are often in senders' signatures, an inordinate number of messages without PHI are getting unnecessarily encrypted.


We run the Email Encryption Details report weekly and are starting to exempt recipient domains that use TLS connections.  (We add the exemptions in the Basic -> Administration page down at the "Email Encryption Service" section.  You can identify the messages sent over TLS connections in the Message Log if you change the view to include the Encryption column.)  It's a lot of maintenance and a lot of domains.  Assuming that the email gateway can detect that a TLS connection is going to be used, it would save a lot of work if there was an option within the gateway configuration to not encrypt messages flagged by the content filter if a TLS connection is used.

#2 Noah Carlisle

Noah Carlisle
  • Members
  • 3 posts

Posted 16 January 2019 - 11:57 AM

We are also utilizing Barracuda Encryption. I have been setting up rules on the Barracuda for quite some time for domain specific accounts with TLS enabled. I setup the bypass encryption for the domain and I also setup the require TLS option for the domain to make sure any ]mail will not get delivered unless a TLS connection is made. We get mail from other vendors that have this capability and have been looking into it. I really would like to stay with Barracuda.


Having the ability to setup a rule that will allow bypass of encryption services with any domain that has a verified TLS connection and will include a customizable banner informing the recipient that the email was delivered securely would be a great addition to the firewall. 

#3 Steve Braaten

Steve Braaten
  • Members
  • 5 posts

Posted 06 June 2019 - 06:30 PM



Is there a way we can escalate this request? 


As a HIPAA entity we are looking to enable encryption ONLY on an email connection where TLS cannot be a requirement as they do not support TLS and the DLP detects a HIPAA trigger.  In it's current form this DLP HIPAA flag is identifying so much that it is unusable for our recipients.  Most have denied communicating with us through the Barracuda encryption portal as their only approved portal for use is their own portal.  Since these organizations are at the State level, we cannot legally dictate they enter our portal.


The HIPAA DLP process needs this option to instead use required TLS.  Proof Point is a service, similar to Barracuda Email Security, which the state is using to only use DLP triggered encryption when TLS is not being required. 


Adding this feature request would be very easy.  A simple checkbox on each domain listed in Outbound Connections -> DLP/Required would allow an easy and simple method to enable this for each domain.  This would also allow a means for an organization using Barracuda to also have the ability to use the DLP Encryption and TLS concurrently if they desired.  Our organization however would like DLP disabled if TLS for a domain is a requirement within the DLP\Required section for outbound connections.  Adding this one feature will enable us to be 100% HIPAA Compliant in all scenarios and compete directly with what Proof Point is doing for other organizations.


Please escalate this as soon as possible.  When working with HIPAA Entities this is essential.


-Steve Braaten

#4 Cozad

  • Members
  • 1 posts

Posted 22 May 2020 - 03:08 PM

I would like to also ask that not only HIPPA, but all predefined filters are allowed through if TLS 1.1 or 1.2 is used.  I work in the financial services industry and we also need to put in protection. However, we get way too many false positives and in my estimation at least 90% of the servers out there are using TLS 1.1 or 1.2.  Unfortunately, there are still servers not utilizing TLS 1.1 or 1.2 and I don't want anything private to go out unencrypted at the transport level.


I would add my name to the list of people who would like to see this escalated.


Craig Kiddoo