logging inbound/outbound email

[Jason D. Kelleher]

Ok, here's the problem:

The "Powers That BE" decided that the company could be held liable
if an employee emailed confidential information to the wrong people.
So, an our new email policy states that all email messages are company
records and employees have no expectation of privacy with regard to
email.

Now, I've been given the task of archiving all email entering, or
leaving, our domain. I doubt I'm the first guy to ever work for a
paranoid company, so would anyone who has already done this care to
point me in the right direction?

Right now I have two ideas:

1) Setup rule sets like check_mail and check_rcpt which somehow
blind carbon-copy an address if the sender or recipient is
not from our domain. This would be nice, but I don't think it's
possible.

2) Use two different sendmail daemons on the Internet mail
relay. The first would have a delivery agent which bcc's
all messages to an internal "dummy" account and then queue'd
the mail for a separate sendmail (w/ the "real" .cf) to
deliver.

We're running sendmail 8.8.7, but changing that is no big deal.

Any and all comments would be greatly appreciated.

--
Jason D. Kelleher Systems Administrator
kell...@susq.com Susquehanna Investment Group
kell...@eecis.udel.edu I work for 'em, don't speak for 'em.

[Nick Maclaren]

In article <5vov4o$e1m$1...@ren.eecis.udel.edu>, kell...@eecis.udel.edu (Jason D. Kelleher) writes:
|>
|> The "Powers That BE" decided that the company could be held liable
|> if an employee emailed confidential information to the wrong people.
|> So, an our new email policy states that all email messages are company
|> records and employees have no expectation of privacy with regard to
|> email.
|>

|> Right now I have two ideas:
|>
|> 1) Setup rule sets like check_mail and check_rcpt which somehow
|> blind carbon-copy an address if the sender or recipient is
|> not from our domain. This would be nice, but I don't think
|> it's possible.

Why not? I doubt that you can do it with sendmail, but you almost
certainly can using something like Exim. I run Exim allowing local
mail (unlogged), and returning all mail bound for outside with a rude
message and a copy to the administrator (me).

Similarly, I bounce all external mail hard. For reasons to do with
the RFC etc., the typical diagnostic is "unknown domain". Mailers
that ignore the 'permanent error' flag tend to go into a loop, but
that is their problem.

Now, I am NOT a mailer expert, so I got help from our local experts in
setting this up, but I am 99% sure that you could do what you want
very simply (once you have worked out how to do it, which may take a
bit of time!)

Nick Maclaren,
University of Cambridge Computer Laboratory,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email: nm...@cam.ac.uk
Tel.: +44 1223 334761 Fax: +44 1223 334679

[Tim Cutts]

In article <5vp2l3$fvu$1...@lyra.csx.cam.ac.uk>,
Nick Maclaren <nm...@cus.cam.ac.uk> wrote:

>Why not? I doubt that you can do it with sendmail, but you almost
>certainly can using something like Exim. I run Exim allowing local
>mail (unlogged), and returning all mail bound for outside with a rude
>message and a copy to the administrator (me).

With exim it is pretty trivial. A global filter file of:

# Exim filter
unseen save /some/filename

which will save a copy of every mail message passing in or out to one
huge mailbox, /some/filename

With a teeny bit more effort you could change this to save only mail
originating in your organisation (which I assume is what you are
after)

Tim.

[Jason D. Kelleher]

I hate following up to my own posts, but considering some of the
email I've received I guess I didn't make a few things clear.

First, what I've been asked to do is not illegal under the
Electronic Communications Privacy Act. All employees have given
consent.

Second, I know there are a million (slight exaggeration) other ways
of passing confidential information (HTTP, FTP, NNTP, etc..), but I was
only asked to log all email. For now, that's the only issue.

Again, thanks for all comments.

--
Jason D. Kelleher Systems Administrator
kell...@susq.com Susquehanna Investment Group
kell...@eecis.udel.edu I work for 'em, don't speak for 'em.

In article <5vov4o$e1m$1...@ren.eecis.udel.edu>,

Jason D. Kelleher <kell...@eecis.udel.edu> wrote:
> Ok, here's the problem:
>

> The "Powers That BE" decided that the company could be held liable
>if an employee emailed confidential information to the wrong people.
>So, an our new email policy states that all email messages are company
>records and employees have no expectation of privacy with regard to
>email.
>

> Now, I've been given the task of archiving all email entering, or
>leaving, our domain. I doubt I'm the first guy to ever work for a
>paranoid company, so would anyone who has already done this care to
>point me in the right direction?
>

> Right now I have two ideas:
>
> 1) Setup rule sets like check_mail and check_rcpt which somehow
> blind carbon-copy an address if the sender or recipient is
> not from our domain. This would be nice, but I don't think it's
> possible.
>

[Scott Schwartz]

kell...@eecis.udel.edu (Jason D. Kelleher) writes:

> We're running sendmail 8.8.7, but changing that is no big deal.

Fetch qmail (http://www.qmail.org), read FAQ 8.2, compile, install
enjoy.

[Dave Sill]

kell...@eecis.udel.edu (Jason D. Kelleher) writes:

> Now, I've been given the task of archiving all email entering, or
> leaving, our domain.

If you absolutely, positively have to log all mail going out, you'll
have to set up a firewall and block outgoing SMTP connections from
machines behind the firewall to prevent messages from bypassing your
MTA's. There are still lots of open relays available, and it's a
simple matter to configure most mail agents to use one of them. If you
just want to go through the motions of logging all mail to satisfy the
suits, you can skip this step. :-)

> We're running sendmail 8.8.7, but changing that is no big deal.

Switch to qmail and you'll see greatly improved security and
performance, as well as simpler configuration.

--
Dave Sill <ds...@sws5.ctd.ornl.gov> <URL:http://web.infoave.net/~dsill>
Lockheed Martin Energy Research Oak Ridge National Lab Workstation Support
Take the qmail Challenge. See <URL:http://web.infoave.net/~dsill/qmail.html>

[Nick Maclaren]

In article <wx0afha...@sws5.CTD.ORNL.Gov>, Dave Sill <ds...@sws5.ctd.ornl.gov> writes:
|>
|> If you absolutely, positively have to log all mail going out, you'll
|> have to set up a firewall and block outgoing SMTP connections from
|> machines behind the firewall to prevent messages from bypassing your
|> MTA's. There are still lots of open relays available, and it's a
|> simple matter to configure most mail agents to use one of them. If you
|> just want to go through the motions of logging all mail to satisfy the
|> suits, you can skip this step. :-)

That is true, but it isn't quite that black and white. In English law,
an organisation is responsible for the acts of its employees while they
are following instructions or acting in good faith on behalf of the
organisation. If they have broken the rules too grossly, their actions
can be denied and the organisation cannot be sued for their misconduct.
It isn't as simple as that, but is along those lines.

So it is probably enough to log all mail and issue a fiat that it is a
sacking offence to use a private mailer (or SMTP directly), especially
as few vendors provide a way of restricting SMTP. But anyone found
breaking the rules HAS to be sacked for this approach to work.

[Roger Books]

Nick Maclaren (nm...@cus.cam.ac.uk) wrote:

: That is true, but it isn't quite that black and white. In English law,

: an organisation is responsible for the acts of its employees while they
: are following instructions or acting in good faith on behalf of the
: organisation. If they have broken the rules too grossly, their actions
: can be denied and the organisation cannot be sued for their misconduct.
: It isn't as simple as that, but is along those lines.

But that's English law, where they try to be reasonable about litigation.
The original poster is working under US law, where being 1% at fault
can cost you big bucks, and having someone working for you is almost
1% in and of itself.

It is rather ridiculous, and one of the biggest failings of the
US Government and dealing with business.

"Oh, the foot of my ladder melted a pile of cow manure, slipping with
me on it and making me fall, thus hurting myself. I think I'll sue
the ladder manufacturer."

Roger

The US, where being stupid costs other people big money, and the lawyers
make out.
----------------------------------------------------------------------
The reply-to: address in the headers is a valid address, if you want
to send me e-mail just hit reply and it should work fine. If your
newsreader is broken and can't deal with that then send your e-mail
to: 970805022...@mail.state.fl.us
----------------------------------------------------------------------

[Ian Stirling]

In comp.mail.sendmail Dave Sill <ds...@sws5.ctd.ornl.gov> wrote:

: kell...@eecis.udel.edu (Jason D. Kelleher) writes:

: > Now, I've been given the task of archiving all email entering, or
: > leaving, our domain.

: If you absolutely, positively have to log all mail going out, you'll

: have to set up a firewall and block outgoing SMTP connections from

And http to hotmail, etc.

--
Ian Stirling. Designing a linux PDA, see http://www.mauve.demon.co.uk/
-----******* If replying by email, check notices in header *******-------
What a wonderfull world it is that has girls in it! Robert A Heinlein.

[Jorge Miguel Guilherme - LEI]

Jason D. Kelleher (kell...@eecis.udel.edu) wrote:
: Now, I've been given the task of archiving all email entering, or

: leaving, our domain. I doubt I'm the first guy to ever work for a

: paranoid company, so would anyone who has already done this care to
: point me in the right direction?

Actually that setup can come handy in some networks.
In fact I might have to do that to. The ideia is to have two mail machines,
one used by the Outside and the other used by the Inside. And for redundancy
in case of some failure they bouth have the mailboxes. Of course that there
is some automated way to delete the old messages.
I know that very litle can be gained with that but doesn't hurt much.

--
Jorge Guilherme

[Bruce Gingery]

On 17 Sep 1997 17:05:39 GMT, in <5vp2l3$fvu$1...@lyra.csx.cam.ac.uk>,
Nick Maclaren <nm...@cus.cam.ac.uk> wrote:

> In article <5vov4o$e1m$1...@ren.eecis.udel.edu>,

kell...@eecis.udel.edu (Jason D. Kelleher) writes:

> |> The "Powers That BE" decided that the company could be held liable
> |> if an employee emailed confidential information to the wrong people.
> |> So, an our new email policy states that all email messages are company
> |> records and employees have no expectation of privacy with regard to
> |> email.

> Why not? I doubt that you can do it with sendmail, but you almost

> certainly can using something like Exim.

I'm following up with the "jist" of some E-Mail discussions, because
this is getting to be a FAQ!

Run sendmail in queue-only mode for all SMTP connections and do NOT
allow other local invocations of it. Periodically (e.g. under cron)
process from Queue-to-queue, inserting the required added delivery
address (as if it were a Bcc), as the control files are transferred
to the outbound queue. The related data file than can be just moved.
Perhaps run with -q365d and make sure it is restarted more than once
a year. I've not checked for "sane values" checks on the -q flag.

( DeliveryMode = q or d )

After all (or a given number) of messages are moved to the outbound
queue, launch a second sendmail for delivery ONLY of those messages
which have already been processed (run the 2nd queue). Expire it
when the queue is empty.

An alternative is to force queue-on-reception and use

confMIN_QUEUE_AGE

to allow processing of the message control file while it sits in the
queue. (Can someone confirm that no immediate delivery attempt is
made with a non-zero value here?)

This solution gives "normal care" for archiving a blind copy of all
E-Mail selected in the queue-to-queue transfer. It most expressly
does NOT prevent a deliberate attempt to bypass the provision! To do
that, this queue-to-queue transfer must be the ONLY possible means
of getting mail out - that means NO World Wide Web, NO other services
crossing the firewall! NOTHING that could allow a transmission to
the outside.

Still, it's a technological hack to solve a human-resources problem.

Bruce Gingery

[Nick Maclaren]

In article <5vu06b$i...@horn.wyoming.com>, Bruce Gingery <bginger...@pLeAsEgtcs.com> writes:
|>
|> I'm following up with the "jist" of some E-Mail discussions, because
|> this is getting to be a FAQ!
|>
|> Run sendmail in queue-only mode for all SMTP connections and do NOT

|> allow other local invocations of it. ...

There lies the rub. There are an awful lot of applications which
REQUIRE a fairly 'standard version of sendmail to be available for
local delivery. NQS, some print services, etc. That solution may
work for you, but won't work in general.

[James FitzGibbon]

> 1) Setup rule sets like check_mail and check_rcpt which somehow
> blind carbon-copy an address if the sender or recipient is
> not from our domain. This would be nice, but I don't think it's
> possible.

Probably not in check_mail, but in checkcompat() (not the ruleset, but the
function in conf.c), you could.

The flow would be something like this :

int
checkcompat( to, e )
register ADDRESS *to;
register ENVELOPE *e;
{
char value[MAXLINE];

if( ( wordinclass( to.q_host, 'w' ) == FALSE ) ||
( wordinclass( e->e_from.q_host, 'w' ) == FALSE ) ) {
(void)sprintf( value, "bigbr...@domain.com" );
(void)addheader( "Bcc", value, e->e_header );
}
}

I'm not a C programmer by trade, but I think the logic there is sound. Other
people on this list could probably clean it up a bit. This is all from
chapter of 20 of Sendmail 2nd edition.

--
j.

James FitzGibbon ja...@ican.net
System Integrator, ACC TelEnterprises Voice/Fax (416)207-7171/7123

[Greg Wilkins]

On 18 Sep 1997 14:14:36 GMT, nm...@cus.cam.ac.uk (Nick Maclaren) wrote:

> ...

>
>So it is probably enough to log all mail and issue a fiat that it is a
>sacking offence to use a private mailer (or SMTP directly), especially
>as few vendors provide a way of restricting SMTP. But anyone found
>breaking the rules HAS to be sacked for this approach to work.

What do you mean especially as few vendors provide ways to restrict
SMTP? It is easy, you put in a firewall, remove the SMTP
protocol/port, have your internal e-mail server be the only one
allowed in and out of that port - and you're done!

>
>
>Nick Maclaren,
>University of Cambridge Computer Laboratory,
>New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
>Email: nm...@cam.ac.uk
>Tel.: +44 1223 334761 Fax: +44 1223 334679

Gregory J. Wilkins
Information Systems Manager
Wye Technologies, Inc.
700 S. Illinois Ave. Suite A-102
Oak Ridge, TN 37830
gr...@wye.com
http://www.wye.com

[Jason D. Kelleher]

In article <5vu521$gsb$2...@lyra.csx.cam.ac.uk>,

Nick Maclaren <nm...@cus.cam.ac.uk> wrote:
>In article <5vu06b$i...@horn.wyoming.com>, Bruce Gingery <bginger...@pLeAsEgtcs.com> writes:
>|>
>|> I'm following up with the "jist" of some E-Mail discussions, because
>|> this is getting to be a FAQ!
>|>
>|> Run sendmail in queue-only mode for all SMTP connections and do NOT
>|> allow other local invocations of it. ...
>
>There lies the rub. There are an awful lot of applications which
>REQUIRE a fairly 'standard version of sendmail to be available for
>local delivery. NQS, some print services, etc. That solution may
>work for you, but won't work in general.

Actually, since this will have to run on a restricted machine. (You
can send email w/ a telnet session...) We can make the assumption that
any local invocations of sendmail will be started for benign
purposes...

[Ian Stirling]

In comp.mail.sendmail Glynn Clements <gl...@sensei.co.uk> wrote:

: kell...@eecis.udel.edu (Jason D. Kelleher) writes:

: > Now, I've been given the task of archiving all email entering, or
: > leaving, our domain. I doubt I'm the first guy to ever work for a
: > paranoid company, so would anyone who has already done this care to
: > point me in the right direction?

: You'll need to block all outgoing digital communication with the
: outside world.

Or archive it.

: Any lesser approach can be circumvented.

Can be, but if you tell employees, that using any form of email access
other than the approved one is prohibited on pain of slow torture,
it could work.

--
Ian Stirling. Designing a linux PDA, see http://www.mauve.demon.co.uk/
-----******* If replying by email, check notices in header *******-------

Money is a powerful aphrodisiac, but flowers work almost as well.
Robert A Heinlein.

[Bennett Todd]

On Wed, 1 Oct 1997 17:58:26 +0100, Ian Stirling <000034328...@mauve.demon.co.uk> wrote:
>: Any lesser approach can be circumvented.
>
>Can be, but if you tell employees, that using any form of email access
>other than the approved one is prohibited on pain of slow torture,
>it could work.

Hereabouts, anyway, the heaviest penalty a company can practically hope to
levy, on a regular basis, is immediate termination for cause. In the most
eggregious violations they can try to take the employee to court, but odds are
against their recovering their costs in doing so.

And at least one well-documented series of incidents suggests that you can
threaten to fire people, and you can fire 'em, and the survivors will continue
to not pay any attention at all. Last time I tried, I found the traffic
describing the email monitoring, and the consequences, by hitting DejaNews,
asking for an power search of the old database, and looking for

~g comp.security.firewalls & ~s Salomon

-Bennett