Date: Sat, 29 Apr 2000 21:16:02 -0400 (EDT) From: Adam <bsdx@looksharp.net> To: Mike Nowlin <mike@argos.org> Cc: Dan Tso <dan@tsolab.org>, Fabio da Silva Cunha <fsc@mymail.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 Message-ID: <Pine.BSF.4.21.0004292115000.22811-100000@turtle.looksharp.net> In-Reply-To: <Pine.LNX.4.05.10004290213100.13604-100000@jason.argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I believe mailsnarf from http://www.monkey.org/~dugsong/dsniff/ will log mails going over the wire, this should help you out. There is also a port for it in the ports tree. On Sat, 29 Apr 2000, Mike Nowlin wrote: > > >> > I need to copy all mail processed (in / out) through my mail server >> > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's >> > possible with sendmail 8.9.3/8.10.1 ? >> >> This is really a question for the sendmail forums and it comes up all >> the time. At least when I researched it, the basic message was that >> sendmail doesn't come with a canned solution for this (logging outgoing >> mail) on purpose, primarily due to invasion of privacy issues felt by >> the core developers/maintainers. However there are possibilities: >> 1) obviously, used something other than sendmail. I believe qmail and >> postfix provide this feature, >> 2) there is a C source level hack to include this feature in sendmail >> which has been posted to USENET, >> 3) you can alter the sendmail.cf file to do it, either using something >> like procmail, or sendmail itself. This method, while not the most >> efficient, is the easiest. > > >It also depends on what you're trying to catch. It's trivial for someone >to bypass whatever you do to sendmail for outgoing messages - just open a >connection directly to the receiving machine on port 25 and "emulate" >sendmail - some mail readers can do this anyway, avoiding sendmail. >Firewalling can help -- if I remember correctly, there's some >sort of rule in ipfw or ipf that provides "only allow packets destined for >port 25 of some other machine if they're originating on a program running >as root" capability.... If you're just trying to catch someone doing a >particular thing, and you have enough drive space available, tcpdump and >ports/net/tcpshow can record everything on port 25 as sorta-text... > >--mike > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004292115000.22811-100000>