out bound mail.

[Galactic Zero]

I need to look for emails and attachments that were sent via SMTP. Would those be logged in the maillog? If so, what do I need to look for or is the maillog only capturing inbound mail?

Clients use outlook, yes we've already looked in the sent items etc and they are clean. Looking for a trail of misconduct.


Thanks.

[exi1ed0ne]

The maillog would capture outbound and inbound mail, but not in that level of detail. It would only show from and to, if email was rejected, etc. What you are looking for is an email archival solution that would deliver messages to X and also store the contents elsewhere. The defaults in the system definitely don't do that.

[Galactic Zero]

any recommened 3rd party open source solutions?

[exi1ed0ne]

I know you could do so with mailscanner (back from the days when I hosted off of OpenBSD), but I'm not sure if qmail-scanner has the capability. It should be fairly simple to code something up in perl and insert it in the smtp chain for qmail if you didn't want to get fancy. Worst case is you could put something in front of the email server to archive the messages.

[scott]

Yeah, qmail-scanner has an escrow capability. Its in the qmail-scanner.ini as "ARCHIVE". You can use a regex, or just a literal.

[Galactic Zero]

regex looks like it will work for me, after putting that in the qmail-scanner.ini where do I specify the pattern?

[scott]

Step 1) Change this line in /etc/qmail-scanner.ini to your regex:

ARCHIVE="no"

example:

ARCHIVE=".*atomic.*"

would get all traffic for "atomicrocketturtle.com" and "atomicorp.com".

Step 2) then run:

qmail-scanner-reconfigure

[Galactic Zero]

cool, thanks, and if I wanted to add additional filters seperate them by commor or semicolon?

[scott]

Like any other regex, you can use |, (), etc.