From owner-freebsd-security Fri Apr 28 23:24: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id 81DAE37BA7C for ; Fri, 28 Apr 2000 23:23:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA13712; Sat, 29 Apr 2000 02:23:16 -0400 Date: Sat, 29 Apr 2000 02:23:15 -0400 (EDT) From: Mike Nowlin To: Dan Tso Cc: Fabio da Silva Cunha , freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 In-Reply-To: <390A7095.368ACB80@tsolab.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I need to copy all mail processed (in / out) through my mail server > > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's > > possible with sendmail 8.9.3/8.10.1 ? > > This is really a question for the sendmail forums and it comes up all > the time. At least when I researched it, the basic message was that > sendmail doesn't come with a canned solution for this (logging outgoing > mail) on purpose, primarily due to invasion of privacy issues felt by > the core developers/maintainers. However there are possibilities: > 1) obviously, used something other than sendmail. I believe qmail and > postfix provide this feature, > 2) there is a C source level hack to include this feature in sendmail > which has been posted to USENET, > 3) you can alter the sendmail.cf file to do it, either using something > like procmail, or sendmail itself. This method, while not the most > efficient, is the easiest. It also depends on what you're trying to catch. It's trivial for someone to bypass whatever you do to sendmail for outgoing messages - just open a connection directly to the receiving machine on port 25 and "emulate" sendmail - some mail readers can do this anyway, avoiding sendmail. Firewalling can help -- if I remember correctly, there's some sort of rule in ipfw or ipf that provides "only allow packets destined for port 25 of some other machine if they're originating on a program running as root" capability.... If you're just trying to catch someone doing a particular thing, and you have enough drive space available, tcpdump and ports/net/tcpshow can record everything on port 25 as sorta-text... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message