/tool e-mail send start-tls seems insecurable, need advice.

I’d like to be able to email a config backup securely without using a vpn. I was hoping to use TLS but I’m not sure how it’s intended to be used.

It seems like there’s no way to have routeros require the email smtp server to use STARTTLS

/tool e-mail send from=some_sender to=some_receiver start-tls=yes server=some_server port=some_port user=some_user password=some_pass file=some_file

• setting ‘start-tls=no’ will not attempt STARTTLS
• setting ‘start-tls=tls-only’ will connect and immediately start talking tls with a client hello (ie. it won’t really use STARTTLS command, it’ll just start talking TLS straight away).
• setting ‘start-tls=yes’ will only attempt STARTTLS if the server advertises it in an extension, but will be happy to send a message unencrypted.

There’s seems to be no way to have the mikrotik as a client require an upgrade using STARTTLS.

Also, it seems like using any self-signed cert is fine is fine with STARTTLS - how are certificates meant to be checked with e-mail? unlike the /tool fetch there’s apparently no check-certificates option for email.

and if you encrypt the backup itself? and transmit it in the clear …

/system backup save password=

I was really hoping to check the config as text into my git, and maybe use it as a foundation for a restore script, maybe reuse parts across similar devices

also, this would mean I can’t effectively secure the server side ; because the client will send the credentials to anyone/anything it connects to, and they can later re-use the user/pass to impersonate the client

is there a way to encrypt an export file in some simple way; (or hash it and encrypt it effectively just sign it)?

I asked support. They confirmed there’s no way for the router to verify the TLS cert when sending email - maybe in the future.

Can anyone tell me if this fixed?