From owner-freebsd-security Sat Apr 29 18:17:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 964F937B559 for ; Sat, 29 Apr 2000 18:17:20 -0700 (PDT) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by turtle.looksharp.net (8.9.3/8.9.3) with ESMTP id VAA25530; Sat, 29 Apr 2000 21:16:02 -0400 (EDT) (envelope-from bsdx@looksharp.net) Date: Sat, 29 Apr 2000 21:16:02 -0400 (EDT) From: Adam To: Mike Nowlin Cc: Dan Tso , Fabio da Silva Cunha , freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe mailsnarf from http://www.monkey.org/~dugsong/dsniff/ will log mails going over the wire, this should help you out. There is also a port for it in the ports tree. On Sat, 29 Apr 2000, Mike Nowlin wrote: > > >> > I need to copy all mail processed (in / out) through my mail server >> > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's >> > possible with sendmail 8.9.3/8.10.1 ? >> >> This is really a question for the sendmail forums and it comes up all >> the time. At least when I researched it, the basic message was that >> sendmail doesn't come with a canned solution for this (logging outgoing >> mail) on purpose, primarily due to invasion of privacy issues felt by >> the core developers/maintainers. However there are possibilities: >> 1) obviously, used something other than sendmail. I believe qmail and >> postfix provide this feature, >> 2) there is a C source level hack to include this feature in sendmail >> which has been posted to USENET, >> 3) you can alter the sendmail.cf file to do it, either using something >> like procmail, or sendmail itself. This method, while not the most >> efficient, is the easiest. > > >It also depends on what you're trying to catch. It's trivial for someone >to bypass whatever you do to sendmail for outgoing messages - just open a >connection directly to the receiving machine on port 25 and "emulate" >sendmail - some mail readers can do this anyway, avoiding sendmail. >Firewalling can help -- if I remember correctly, there's some >sort of rule in ipfw or ipf that provides "only allow packets destined for >port 25 of some other machine if they're originating on a program running >as root" capability.... If you're just trying to catch someone doing a >particular thing, and you have enough drive space available, tcpdump and >ports/net/tcpshow can record everything on port 25 as sorta-text... > >--mike > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message