4

I've searched the serverfault and Google, but did not find anything related to my question yet.

So, I have a customer that wants to read all emails sent by his employees. I've configured a VPS with dovecot and sendmail. So he wants to controlthe quality of service by monitoring all the sent emails from our server.

What the solution may be?

P.S.: VPS is on Ubuntu. ISPmanager installed and Roundcube as the webmail agent.

Max Krizh
  • 169
  • 1
  • 6
  • Artem, welcome to SF. I hope you'll forgive me for pointing out that local etiquette is that, once you're happy with an answer to your question, you accept it by clicking the "tick" outline next to it. This drives the SF reputation system for both you and the author of that answer. I wouldn't presume to suggest that this question has been fully-answered, yet, but you've asked one other question on SF, and that one has some pretty good answers, one of which you might wish to accept. My apologies if you already know all this. – MadHatter Jun 21 '13 at 09:00
  • I've solving somewhat similar task — to intercept all outgoing mail from web service host. Yes indeed I may do this at application level, but I have both Yii and Django sending mails, so easiest place to configure is OS level. – spacediver Nov 10 '13 at 22:17

2 Answers2

8

The short answer is "you can't".

The longer answer, from the sendmail FAQ, is

How can I automatically copy messages based on sender or recipient addresses?

It would require custom programming [...] Note that no such feature has been added to sendmail. When asked about this one of the sendmail developers said it was "because we still believe a bit in privacy."

Basically, the person who's asking you to do this is foolish to believe that it can be done. Sure, you could use a different MTA, maybe something written by people who don't care about privacy. But unless he proxies and screens all outbound HTTP and blocks all other outbound TCP including HTTPS, and all outbound UDP full-stop, he hasn't a hope of preventing a determined employee from emailing something, somehow.

Moreover, although we can't do legal advice here, you may find that computer privacy legislation in your jurisdiction forbids or tightly regulates email interception, and it is possible that you could find yourself liable for what you implement.

30,000-foot view: this is a social problem. Don't look for a technical solution. That never works.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Well, I am not the fan of reading other emails. This was just technical requirement form the customer. – Max Krizh Jun 21 '13 at 09:16
  • 1
    I hear you, but part of our job as consultants (actually, quite a big part) is to know when we're being asked to implement something stupid, and to talk the customer out of it. – MadHatter Jun 21 '13 at 09:18
  • 1
    If it's a social problem, it's quite strange to see purposeful technical limitation introduced by sendmail devs. Why don't they sell unsharpened knives as well? – spacediver Nov 10 '13 at 22:15
  • It's not a limitation they've introduced, it's a capability they've chosen not to add. Sendmail also doesn't play tetris; that's also not a deliberate limitation. – MadHatter Nov 10 '13 at 22:19
  • Well, Sendmail FAQ is kind enough to point out to filter plugin that could be written for that purpose. Will work out, I belive. =) – spacediver Nov 10 '13 at 22:25
  • 1
    In many countries it is a LAW that all financial related electronic communications be archived and retained secure for set time periods. Now while a company cannot block all messages it can be limited from damages by archiving per regulations all official channels of communication. If an employee figures out a way to bypass official channels then he is the target and the company is less open to prosecution and lawsuites. Sometimes it is very necessary to journal messages. Enron and Bernie Madoff showed this. Holier than thou programmers are not needed. Ones that implement requirements are. – Bill Rosmus Sep 17 '15 at 18:07
  • @BillR sure, everyone has an agenda - but other people's aren't yours, nor are we all bound by the same law. The programmers of sendmail are perfectly free not to add a feature, if it's not on their agenda. You don't have to use that MTA, if it is on yours. For myself, living in a country where the government seems very keen to journal, archive, and record everything, I'm rather glad there are still people who value privacy. You may not wish to use their software, but you have no place calling them *holier than thou* merely because they don't share your goals. – MadHatter Sep 17 '15 at 21:20
  • @MadHatter I don't have an agenda. Building software to enable consumer protection is a good thing. Laws to protect consumers are good too. But it seems you don't like that. Maybe you prefer that financial institutions openly collude to steal people's money. Holier than though people like you seem to think everything is black and white. No the world is not all 1s and 0s. Anything that makes it harder for banks and Wall Street to rip people off is good, and that includes archiving emails so no one can tell you they have a 100% guaranteed investment. So you don't like that eh? Drops mic. – Bill Rosmus Sep 24 '15 at 23:34
  • @BillR I think we may have got slightly off-topic for a sysadmin website. Here's the full extent of my professional advice to you on this issue: if you don't like sendmail, don't use it as your MTA. – MadHatter Sep 25 '15 at 05:43
3

sendmail : How to copy outgoing messages using milter

Consider using an archiving milter:

https://www.milter.org/milters/archiving/alphabetical/1

In standard non set root uid installations milter can process/archive all messages passing via sendmail server.

P.S. I do consider reading employees emails by the employer WITHOUT PRIOR WRITTEN WARNING as unacceptable.

AnFi
  • 5,883
  • 1
  • 12
  • 26
  • I would do this with MIMEDefang – adamo Jun 24 '13 at 12:37
  • MIMEDEfang may be an option worth to consider for "all in one" solutions e.g. archiving and anti_spam+anti_virus with in SMTP session rejects. – AnFi Jun 24 '13 at 13:45