There are many supposedly local email clients that do not store access data and/or emails and calendar data on the end device itself, but in the cloud of the software provider. Access to TU Braunschweig email servers is then established not via a direct connection, but via the provider's server.
The storage of access data on the software provider's servers violates in particular the GITZ password policy (https://www.tu-braunschweig.de/fileadmin/Redaktionsgruppen/Einrichtungen/IT/Ordnungen/password-policy.pdf): "The user ID and password must not be stored on external systems".
In addition, the storage of emails and their content on external servers fundamentally jeopardises the confidentiality of sensitive data and contradicts EU GDPR-compliant use, as all (personal) data in the email inboxes is made accessible to the software provider. In addition, depending on the individual case, other legal and/or contractual regulations may also be violated. Transmitting credentials and emails through third parties will regularly constitute a breach of confidentiality regulations and a breach of data protection law for employees in the public sector.
The use of email clients of this type for TU Braunschweig email inboxes is therefore prohibited. This prohibition also applies to the linking of TU Braunschweig email accounts with the services of (cloud) email providers that require the deposit of TU Braunschweig access data and / or retrieve customer emails on their behalf (mail collection services).
The following is a list of email clients and apps which, according to current knowledge, exhibit this problematic behaviour and may not be used at TU Braunschweig. This list is not exhaustive and may be expanded as further information becomes available. Problematic apps will be added to the blacklist. Apps and applications that show the prohibited behaviour may not be used even if they are not (yet) on this list.
The unauthorised email clients may be technically excluded from access to TU Braunschweig systems without further notice.
Windows 10 and 11
The "new Outlook for Windows" (supplied with Windows 11; Outlook as part of MS Office is not affected, see below. Permitted e-mail clients).
Android / iOS
Mobile apps are particularly frequently affected.
Not Authorised Apps | Developer / Publisher |
---|---|
new Outlook/Mail App (included in Windows 11) | Microsoft |
Outlook app for iOS and Android | Microsoft |
Certain versions of Microsoft Outlook for Mac with activated "Microsoft CloudSync" | Microsoft |
Edison Mail | Yipit |
Xiaomi Mail / MiMail | Xiaomi |
Newton Mail | Cloud Magic |
BlueMail | Blix Inc. |
myMail | VK |
Mail.ru | VK |
Canary Mail | Canary Mail |
Spark | Readdle |
Email TypeApp | TypeApp LLC |
E-Mail – Schnelle Mail | Edison Software |
E-Mail für Outlook & andere | Craigpark Limited |
The classic licence-based Outlook programme is not affected by this problem. This is part of the Microsoft Office package and retrieves emails directly from our servers without storing the login data in the Microsoft Cloud. You can use Outlook under Windows and MacOS in the current versions (2016, 2019 and 2021). The use of the web-based version, the Outlook Web App (OWA), is also uncritical, including mobile devices.
Furthermore, Thunderbird (Windows, Linux, MacOS) and Apple Mail (Mac OS) are not considered critical.
For iOS, we recommend using the pre-installed Apple Mail app.
As far as we are aware, the pre-installed standard Android mail apps are not affected by the security flaws, with the exception of Xiaomi Mail (see above). On Xiaomi devices, as on other Android devices, the Gmail app can be used as an alternative. Other alternatives are FairEmail, K-9 Mail or Nine - Email & Calendar (non-free). The Nine app also offers full calendar and task integration.
Authorised apps | Developer / Publisher |
---|---|
Classic licence-based Microsoft Outlook programme (2016, 2019, 2021) under Windows and MacOS | Microsoft |
Outlook Web Access (OWA) (Browser Access) | Microsoft |
Apple Mail (MacOS), Apple Mail App (iOS) | Apple |
Thunderbird | Mozilla |
Pre-installed standard mail apps under Android (except XioamiMail) | various |
K9 Mail | |
FairMail | |
Nine E-Mail+Calendar (not free of charge) | 9folders Inc. |
If you want to use another alternative mail app, please find out beforehand about possible shortcomings in the app's data protection.
What should you do?
If you have synchronised your mailbox with one of the problematic email client applications, please update the email configuration immediately. Uninstall the problematic application from your device. Due to the leak of your credentials, please also change your TU password (https://www.tu-braunschweig.de/en/it/passwort-aendern).
Then set up e-mail access again with your new access data using one of the authorised e-mail client applications (https://doku.rz.tu-bs.de/doku.php?id=e-mail_exchange).
Further links for those interested