Topic: Archiving / copying outgoing mail

[Kelvin]

Hi All,

Has anyone managed to find a working solution on how to keep a copy of all outgoing mails (for archival/security purposes) ?

Incoming is trivial. There just does not seem to be a way to keep outgoing as well.

Kelvin

[Karl Ponsonby]

Why not create an account for mail storage and set all mail on users properties to send locally and forward to the 'mail storage address. Then you could archive mail on a regular basis.
Just thinking outloud....

Karl

[Kelvin]

Hi Karl,

As I posted earlier, storing incoming mail is trivial (which is what your suggestion does and I've already been using this for doing just that). This does not store outgoing mails.

The qmail FAQ says we have to modify a source file and recompile qmail to get this functionality - I want to avoid this as it means having to replace the standard qmail package and this might mean future automatic updates by blades or otherwise may no longer be possible. Besides, I don't know if this option has already been set and compiled into the standard qmail in SME (and if not why not as I would imagine this would provide a really useful additional function that is sorely lacking in the base SME - I've had a number of clients ask for this functionality already).

Kelvin

[chris meredith]

Qmail 1.03 has been around for a loooong time, so I wouldn't be overly worried about new patches coming out.  It shouldn't happen enough that you will have to recompile many times a year.

You might ask around the Qmail lists.  People seem pretty responsive over there.

It really seems liek you are going to have to patch qmail-queue or some other bin to do it.  You might look at how the Anti-Virus programs do it, since most of them catch the outgoing mail, check it, then send it on.

[Andy Parkinson]

I would use IMAP as all of the folders are stored on the mailserver it means that an archive of all sent mails are stored there. The disadvantage would be that users can delete their own sent mails if they want to. But if a backup was done on a regular basis then it should always be possible to retrieve sent emails unless they were deleted immediately after being sent.

[Kelvin]

Hi Andy,

Unfortunately, IMAP is not suitable as the purpose of archiving / copying the mails is for security and mail monitoring purposes. All the out going mails must be copied to another mailbox to be audited when required (with no user intervention required or allowed to perform the copying). This is currently being accomplished with MDaemon on a Windows Server but we have intention to retire both the server as well as MDaemon (old version) and replace them with a new SME server. The one big hurdle at the moment (as it is a requirement that must be met) is this problem about copying outgoing mails.

Kelvin

[Kelvin]

Can anyone shed light on how Qmail and Obtuse ties together in SME ?

Does Qmail handle outgoing deliveries or Obtuse ?

If Obtuse is incharge of delivering the outbound mail, what mechanism does it use to check for any mails waiting to be delivered ? What folder does outgoing mail sit in before being delivered ? Is there a way to intercept the mail and copy it before it get's sent out ? And so on......

I downloaded the qmail SRPM from the e-smith ftp server, made the change as suggested in the QMail faq and recompiled. Great. Now what ? Reading the UPGRADE file does not help a great deal as I have no idea on the internal workings of SME (such as step 6 if your boot scripts are using qmail-start instead of ..... and so on).

If it is not already painfully obvious, linux is still very new to me. I try to concentrate on using the product, not playing with the insides if I can help it unless I really have to. I still believe that this is an important 'feature' to have in the SME product and really do need a solution.

TIA !

Kelvin

[Tim]

One easy way to accomplish this would be to run mailsnarf as a separate service - I'm new to e-smith, but it's just a single program that needs to be started in the background.

You can get the source (and I think RPMs) by searching for "dsniff" on Google.

Tim

[Ed Form]

Tim wrote:
>
> One easy way to accomplish this would be to run mailsnarf as
> a separate service - I'm new to e-smith, but it's just a
> single program that needs to be started in the background.

The simplest way to do it is to set all the mail clients in the system to automatically CC to your admin user. This has the added advantage that you know that the message in question left the building and came back from your ISP.

Ed Form

[Rich Lafferty]

> The simplest way to do it is to set all the mail clients in
> the system to automatically CC to your admin user.

Boy, how simple is that? I can't imagine how you'd do that -- people will
be sending mail from whatever program they might have installed on their
Windows box or Mac or god-knows-what on the local network.

I don't have a solution handy, but were I to implement one I'd probably
put a wrapper around qmail-queue that does the right thing and then calls
qmail-queue itself -- that way, smtpfwdd and qmail-inject could just do their
usual thing.

Cheers,
  --Rich

[Kelvin]

Hi Everyone,

Thanks for your suggestions. I had though of doing what Rich was suggesting already (pretty obvious, if you think about it) but, as I've already stated earlier, without knowing the internal mechanics behind how it all ties together in SME, implementing it is another matter.

Tim's suggestion sounds good. I'm just wary of installing such a package on SME just in case it somehow could be used as a means of breaching security on the server (unless I could remove everything except mailsnarf).

Kelvin

[Tim]

No reason why you can't just use mailsnarf out of the package.  It only needs libpcap as far as I know, then just run it as "mailsnarf -i > file &".  You'll probably want to create an init.d startup/stop script for it and tell logrotate to kill it off and restart it periodically and rotate the output file.

The big advantage that I see with mailsnarf is that you will know it's logging everything going out or in, because it's actually watching the mail delivery sessions and parsing the packets.

Tim

[Kelvin]

Hi Tim,

I'm willing to try this. Can you e-mail me the mailsnarf executable by itself (one that works with SME 5.1.2 ? I tried compiling from source and failed. I also tried the rpm and it won't install due to problems with dependencies and I'm not keen to install anything more than I need at this stage.

Thanks.

Cheers,

Kelvin

[Kelvin]

OK. I've managed to install the packages I needed to install dsniff and extract only mailsnarf (which requires libpcap, libnet & libnids - unusual versions though as the packages meant for RedHat don't have the required ???.so.??? libraries but rpms for other distros do ) on a test machine.

Anyway, I copied the mailsnarf executable and installed it and the required rpms into the production PC to test. The capture part works fine. Here is what else I need it to do and need help with.

1. I want each captured mail to be mail to a specific user for auditing and archiving.
2. If sending each captured mail is not possible, I need to be able to send them in batches to a specified user for the same reason.

Preferrably, option (1) as it would make the auditing / tracking process a whole lot easier (especially when trying to track down a particular mail and details of it if management ever needs to confront an employee for breaching company policies and codes of conduct).

Help anyone ?

TIA.

Kelvin

[Patrick]

Kelvin,

Have you had any luck getting your email logging/archiving tool to function at a 'usable' level?  If so perhaps you could provide the rest of us with a 'How-To', since this seems to be an area which is weak on SME.

I work in the financial services arena where ALL communications to/from brokers and traders need to be logged/archived and then be able to be searched/audited in an easy fashion.  So far I haven't come up with or heard of a complete solution.  Perhaps you've found a solution - if so and you'd be willing to share your experience in more detail that would be great.

Regards,
Patrick