This is the response I finally received. It took them a lot longer than
the 20 days to come up with it. And I forgot to post it here. Sorry.
Mr von Kaehne,
Following an exchange of emails with Will Moss, our NHSmail programme head,
on a number of technical issues concerning access to NHSmail by
non-Microsoft users, you have expressed dissatisfaction with the answers Mr
Moss provided. In an email of 16 January you asked that what you have
interpreted as a decision by NHS Connecting for Health to withhold
information be reconsidered. On Mr Moss' behalf, I am now replying to that
request, for reasons that I trust will be clear from the details of my
signature block below.
The FOI Act obliges public authorities to respond to requests for
information promptly, and in any case no later than 20 working days after
receiving your request. I very much regret, and aplogise for, the fact
that we have failed to meet that deadline on this occasion. Let me assure
you that the reasons for this are in no way due to lack of urgency in
attening to the matter on Mr Moss' part.
I set out below your original questions, and am now able to provide
1: Are you going to provide IMAP/POP3/SMTP/LDAP access to users outside of
the N3 network? If not, why not?
Yes. IMAP and POP access is available to NHSmail users over the internet
via the Whale / IAG (VPN) client (available for download at
2: If you provide such access, is such access inextricably tied to using
Internet Explorer on Microsoft Windows connecting via Whale Communications'
applet to a SSL based VPN?
No. NHSmail can be accessed via browsers other than Microsoft Internet
Explorer. The Whale / IAG VPN is currently being tested against
non-Windows based platforms
3: Or will there be the possibility to connect from non Microsoft Computers
to this SSL based VPN - even if no explicit support is provided beyond the
bare settings? If not, why not?
The Whale / IAG VPN is currently being tested against non-Windows based
platforms. If this testing shows that non-Windows platforms are able to use
the Whale / IAG VPN securely within the security design of the NHSmail
service users will be informed but any such use will not be supported
4: Are you aware that eGIF mandates standards based provision of services
like email, i.e. IMAP, POP3 and SMTP?
In your response of 16th January 2009 you pointed out that section 4 of
eGIF (version 6.2) states ‘e-mail products that provide advanced mail
access facilities shall conform to IMAP for remote mailbox access. For
completeness the full relevant reference is reproduced below:
(Document available at:
However, a key point to note is that section 2.3 of the interconnection
section of e-Government Interoperability Framework states:
“Within government, the norm will be to use the intrinsic security
provided by the Government Secure Intranet (GSI) to ensure email
confidentiality. Unless security requirements dictate otherwise,
outside the GSI and other secure government networks one of the
following shall be used: S/MIME or secure mail transport and secure
mail access standards protected using at least 128 bit TLS/SSL
(Document available at: http://www.govtalk.gov.uk/documents/eGIF%20v6_1.rtf
As you know the NHS does not use the GSI to connect NHS Organisations but
has its own private intranet by way of N3. As stated in Mr Moss’ previous
response POP, IMAP and SMTP access is fully available over the N3 network
with transport layer security. The intrinsic security provided by N3 with
transport security enables IMAP, POP and SMTP to be provided over N3 and to
meet the security requirements of the service.
Over the Internet the security requirements for POP, IMAP and SMTP access
cannot be satisfied without the use of the additional security products
supplied. The security requirements of the service are met via the
following access methods with no need for any additional security products:
- Browser based access with Internet Explorer, Mozilla Firefox and
- Outlook anywhere with Microsoft Outlook 2003 and 2007
- Entourage for Exchange Web Services (unsupported)
In your 16 January email you have asked :
Please provide me with all information relevant to the decision to
explicitly deny access to non Microsoft users to the email services beyond
the Web mail access, given that the eGIF document states that IMAP should
It should be clear from the above explanations that no such decision has
You further asked : Please provide any and all technical information which
would allow non Microsoft users to gain legitimate access to NHSnet via
IMAP, POP3, SMTP and LDAP from outside of N3, even if you have decided to
not provide explicit technical support to such a solution.
Relevant information is contained at pages 80 ff in the document, NHSmail :
Email Configuration Guide version 1.4, viewable at :
In my view all the questions you have raised to date in your emails to Mr
Moss have now been answered in full.
If you are unhappy with the way we have handled your request, you may ask
for an internal review. If you wish to complain, you should contact
The FOI Unit
80 London Road
Email: [log in to unmask]
If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a decision.
The Information Commissioner can be contacted at:
Information Commissioner’s Office
If you have any queries about this letter, please contact me.
This message may contain confidential and privileged information.
If you are not the intended recipient you should not disclose, copy
or distribute information in this e-mail or take any action in reliance
on its contents. To do so is strictly prohibited and may be unlawful.
Please inform the sender that this message has gone astray before
deleting it. Thank you.
2008 marks the 60th anniversary of the NHS. It's an opportunity to pay
tribute to the NHS staff and volunteers who help shape the service, and
celebrate their achievements.
If you work for the NHS and would like an NHSmail email account, go