[kwlug-disc] Email Archiving with Linux
Mark Steffen
rmarksteffen at gmail.com
Sun Mar 26 18:10:36 EDT 2017
So just to follow up with this thread. I did set up MailPiler using their
OVA, and imported into XenServer, added some extra storage and extended the
LVM volumes. Seems to be working fairly well. Being that I don't know the
code and my day job makes me fairly paranoid, I also disabled SSH from all
but a handful of IP addresses, firewalled everything but 443 25 22, put
allow rules to only allow SMTP connections from the Office 365 IP ranges
(this particular org uses O365, and to archive mail from there with
Mailpiler and other solutions, you enable a journaling address which causes
O365 to send a copy of all in/out mail to said address). I also tightened
up the SSL ciphers, added diffie hellman params and stuff (and checked it
with Qualys), disable nginx version display. And just to be extra paranoid
I forced the requirement for a client to possess a client certificate
signed by my private CA, which should virtually eliminate bruteforcing or
PHP exploits. Client still need to provide credentials in addition to the
cert.
I didn't try Enkive; Mailpiler seems to be more actively developed and
ticks all of the boxes. All in all, it was pretty easy to set up (except
that I changed a lot of the default passwords, broke stuff, and then had to
track down all the other places those passwords had to be changed), total
of about 2-3 hours work I think.
*Mark Steffen*
Office Direct: +1.226.476.1240 | Mobile/WhatsApp: +1.226.600.0464
*"Don't believe everything you read on the Internet." -Abraham Lincoln*
On Mon, Mar 20, 2017 at 9:36 AM, Mark Steffen <rmarksteffen at gmail.com>
wrote:
> Nice. There isn't a real legal/regulatory requirement for this other than
> CYA (contracts gone bad, "well the sales guy said..." so we can dig through
> the email) but also as a backup to O365 (I can't see Microsoft losing their
> emails, but.. you never know). The budget is very low, they don't want to
> use Proofpoint etc. -- if there WAS a budget that is what I'd recommend
> doing rather than hosting it in house where there is always the question of
> fiddling down the road.
>
> *Mark Steffen*
> Office Direct: +1.226.476.1240 <(226)%20476-1240> | Mobile/WhatsApp:
> +1.226.600.0464 <(226)%20600-0464>
> *"Don't believe everything you read on the Internet." -Abraham Lincoln*
>
>
>
> On Mon, Mar 20, 2017 at 2:09 AM, Bob Jonkman <bjonkman at sobac.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I've done this 1 1/2 times for a large organization, but with
>> commercial software (think RFPs, pre-sales engineers, committee
>> meetings).
>>
>> Don't forget about retention periods for different classifications of
>> messages. Something dealing with finance or personnel may have a life
>> of 7 years, and be *required* to be destroyed after that (for privacy
>> reasons); something trivial like "Let's do lunch" might be destroyed
>> after three years (so when legal discovery for corruption takes place
>> the organization can legitimately say their policies don't retain mail
>> that long -- yes, I've experienced that).
>>
>> - --Bob.
>>
>>
>> On 2017-03-19 06:19 PM, Mark Steffen wrote:
>> > I'm going to work on installing MailPiler first, it seems to be
>> > more actively developed. Will let everyone know how it goes.
>> > Mailpiler also can act as a "mail backup" where you can have it
>> > flood your mail server with old messages if for some unknown reason
>> > your mail server dies and you want to fill in the emails since your
>> > last backup, so that's kind of neat.
>> >
>> > *Mark Steffen* Office Direct: +1.226.476.1240 | Mobile/WhatsApp:
>> > +1.226.600.0464 *"Don't believe everything you read on the
>> > Internet." -Abraham Lincoln*
>> >
>> >
>> >
>> > On Sun, Mar 19, 2017 at 6:14 PM, B. S. <bs27975 at gmail.com> wrote:
>> >
>> >> Mark is thinking / talking about a different thing.
>> >>
>> >> I've seen this sort of thing particularly around Sarbanes-Oxley
>> >> ( https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act) -
>> >> it's not about email 'backups', but an archive of all email
>> >> segregated off into a black hole. Hopefully never to be needed,
>> >> but required to be there in case of later litigation. Think
>> >> WorldCom and Enron, and document shredding being illegal. Email
>> >> never dies any more - but may, hopefully, disappear forever when
>> >> you would like it to, for your own immediate purposes and
>> >> perception - but don't be fooled with out of sight and out of
>> >> mind, there's a copy of it somewhere. And someone, in this case
>> >> Mark, has to actually implement it.
>> >>
>> >> In essence, every message coming and going is echoed into this
>> >> black hole.
>> >>
>> >> Bear this in mind the next time you send a nastygram to a
>> >> corporation or lawyer. Especially if you're a director or a
>> >> decision maker or otherwise have a fiduciary duty.
>> >>
>> >> For that matter, everyone should bear this in mind with every
>> >> email they send.
>> >>
>> >> I've only ever seen this with Exchange Servers, myself, but I
>> >> can appreciate the need for a Linux solution. Especially as we
>> >> see companies come and go, particularly in the proprietary world.
>> >> At least with FOSS you have the source code. Not only can you
>> >> security check it, but you'll always be able to get it out - may
>> >> be painful, but at least possible.
>> >>
>> >> Please let us know how you make out Mark - I don't expect it will
>> >> be too long before such will be required of everyone. And even if
>> >> not for oneself, one's provider will be doing so.
>> >>
>> >>
>> >> On 03/19/2017 05:13 PM, Chamunks wrote:
>> >>
>> >>> I've also wanted to archive my email offline. My problem is I
>> >>> don't wish to lose convenience at the same time. Grumble.
>> >>>
>> >>>
>> >>> On Sun, Mar 19, 2017, 5:11 PM Mark Steffen
>> >>> <rmarksteffen at gmail.com <mailto:rmarksteffen at gmail.com>>
>> >>> wrote:
>> >>>
>> >>> Hi Cranky,
>> >>>
>> >>> Yes, I mean for a smallish organization's email; they want all
>> >>> of their org's incoming and outgoing email bcc'd into an
>> >>> archival system that is read-only and they can designate
>> >>> someone to have credentials to go through it if needed. Mainly
>> >>> for potential legal issues down the road (not that they expect
>> >>> any of course, just a CYA thing).
>> >>>
>> >>> *Mark Steffen* Office Direct: +1.226.476.1240 |
>> >>> Mobile/WhatsApp: +1.226.600.0464 /"Don't believe everything you
>> >>> read on the Internet." -Abraham Lincoln/
>> >>>
>> >>>
>> >>>
>> >>> On Sun, Mar 19, 2017 at 5:06 PM, CrankyOldBugger
>> >>> <crankyoldbugger at gmail.com <mailto:crankyoldbugger at gmail.com>>
>> >>> wrote:
>> >>>
>> >>> Maybe I'm not understanding your question correctly, but I
>> >>> "archive" my emails via Thunderbird/download to local HDD.
>> >>> It's just an add-on. Then I have a .eml file for each email.
>> >>>
>> >>> I imagine that you're thinking of something more from the
>> >>> server side of things, though...
>> >>>
>> >>>
>> >>>
>> >>> On Sun, 19 Mar 2017 at 15:28 Mark Steffen
>> >>> <rmarksteffen at gmail.com <mailto:rmarksteffen at gmail.com>>
>> >>> wrote:
>> >>>
>> >>> I have a friend with a need for email archiving and a limited
>> >>> budget. I prefer an open source solution, since "archiving" by
>> >>> it's very nature implies a very long term relationship. There
>> >>> seem to be no shortage of companies that like to jack prices up
>> >>> once they have you "stuck."
>> >>>
>> >>> The two leading solutions I've found with Google seem to be
>> >>> Enkive and Mailpiler. I'm leaning towards Mailpiler I think,
>> >>> but I thought I'd ask here in case anyone else has already
>> >>> solved this problem.
>> >>>
>> >>> *Mark Steffen* Office Direct: +1.226.476.1240
>> >>> <tel:(226)%20476-1240> | Mobile/WhatsApp: +1.226.600.0464
>> >>> <tel:(226)%20600-0464> /"Don't believe everything you read on
>> >>> the Internet." -Abraham Lincoln/
>> >>>
>> >>>
>> >>> _______________________________________________ kwlug-disc
>> >>> mailing list kwlug-disc at kwlug.org
>> >>> <mailto:kwlug-disc at kwlug.org>
>> >>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>>
>> >>>
>> >>> _______________________________________________ kwlug-disc
>> >>> mailing list kwlug-disc at kwlug.org
>> >>> <mailto:kwlug-disc at kwlug.org>
>> >>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>>
>> >>>
>> >>> _______________________________________________ kwlug-disc
>> >>> mailing list kwlug-disc at kwlug.org
>> >>> <mailto:kwlug-disc at kwlug.org>
>> >>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________ kwlug-disc
>> >>> mailing list kwlug-disc at kwlug.org
>> >>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>>
>> >>>
>> >> _______________________________________________ kwlug-disc
>> >> mailing list kwlug-disc at kwlug.org
>> >> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>
>> >
>> >
>> >
>> > _______________________________________________ kwlug-disc mailing
>> > list kwlug-disc at kwlug.org
>> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >
>>
>> - --
>>
>>
>> - --
>> Bob Jonkman <bjonkman at sobac.com> Phone: +1-519-635-9413
>> SOBAC Microcomputer Services http://sobac.com/sobac/
>> Software --- Office & Business Automation --- Consulting
>> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> Comment: Ensure confidentiality, authenticity, non-repudiability
>>
>> iEYEARECAAYFAljPcgUACgkQuRKJsNLM5eoQGQCg/dBUaIYwCuQrbDolEUdpiXGd
>> TuoAnj6KfH557ehy7387whxcwQE3mtch
>> =E5Cb
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20170326/e972e3b5/attachment.htm>
More information about the kwlug-disc
mailing list