Protect privacy

ulfthomas · Post by **ulfthomas** » 16 Nov 2017 08:38

Hi there.

I have a concern with the quarantine functionality of EFA:

On one side I love it because it enables the addition of "Report this as spam" but on the other it poses a privacy-issue wherein I - as the local sysadmin - have the option to read all messages that comes through my servers.

Is there any way to achieve stamping of all incoming email with the "Report as"-link whilst keeping the content of the actual messages unavailable to sysadmins?

I do know about the audit function but if requested to provide proof that no emails have been read I feel that this log will not hold up.

A solution - at least in my mind - would be to introduce a choice to store the email for just the second it takes to stamp it, then deliver and leaving no trace of it on EFA. But - I am not fluent in these setups so I might be missing a bigger point.

Any inputs are welcome.

Thomas

Post by **shawniverson** » 16 Nov 2017 23:41

If I were attempting this, I would...

1) Create domain admins for your mail domain (not full admins).

2) Modify the code in detail.php starting on line 533 by removing most of the logic and restrict to admin only:

Change:

Code: Select all

    if (
                (
                    $item['dangerous'] === 'N' ||
                    $_SESSION['user_type'] === 'A' ||
                    (defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
                  )  && preg_match('!message/rfc822!', $item['type'])

To this:

Code: Select all

 if (
                $_SESSION['user_type'] === 'A' 
                && preg_match('!message/rfc822!', $item['type'])

Post by **shawniverson** » 17 Nov 2017 00:22

https://github.com/E-F-A/v3/issues/404

ulfthomas · Post by **ulfthomas** » 17 Nov 2017 09:05

shawniverson wrote: ↑16 Nov 2017 23:41 If I were attempting this, I would...

1) Create domain admins for your mail domain (not full admins).

2) Modify the code in detail.php starting on line 533 by removing most of the logic and restrict to admin only:

Good point indeed, thanks.

I would however like a possibility to block all admins - myself included - from reading any emails. There really is not need for us to be able to do this.

ulfthomas · Post by **ulfthomas** » 19 Nov 2017 12:14

Further elaborating on this topic: would it be possible to encrypt the content in any way?

budy · Post by **budy** » 19 Nov 2017 14:18

What are trying to gain from that? E-Mail in itself isn't encrypted and sending confidential information via non-encrypted e-mail is a failure right from the start. I think the appropriate way to handle these issues are policies and audits. Don't try to turn eFa into something is isn't meant to be and deal with your security concerns in other appropriate ways. You can do so much wrong, when ramping up the complexity of a setup.

In the end any admin can get to any information eventually, given enough determination as long as these messages are not encrypted clientside by S/MIME or PGP.

Post by **pdwalker** » 20 Nov 2017 07:58

What budy says.

As long as the message is not end-to-end encrypted, you cannot stop someone in the middle from reading the message.

That said, you can minimize the exposure by:
- restricting access to your efa appliance to only those who need it
- never store messages on the efa box (which does limit spam training/retraining)
- disable message viewing functionality in EFA so admins cannot browse messages.
- restrict root access to the EFA box, while keeping in mind that anyone with root access will always have full access to all the messages - unless you no longer store them (and even then, a root user can still capture the messages)

You'll need to strike a balance between security, convenience and trust.

I'd suggest that if you are having problems with trust and your admins, you have more serious problems to deal with.

ulfthomas · Post by **ulfthomas** » 21 Nov 2017 08:57

budy wrote: ↑19 Nov 2017 14:18 What are trying to gain from that? E-Mail in itself isn't encrypted and sending confidential information via non-encrypted e-mail is a failure right from the start. I think the appropriate way to handle these issues are policies and audits.

Budy, I fully agree with your statements.

budy wrote: ↑19 Nov 2017 14:18 Don't try to turn eFa into something is isn't meant to be and deal with your security concerns in other appropriate ways. You can do so much wrong, when ramping up the complexity of a setup.

I do however think that discussing what a product can and cannot do is healthy and can lead to enhancing it if done properly.

budy wrote: ↑19 Nov 2017 14:18 In the end any admin can get to any information eventually, given enough determination as long as these messages are not encrypted clientside by S/MIME or PGP.

True indeed.

pdwalker wrote: ↑20 Nov 2017 07:58
You'll need to strike a balance between security, convenience and trust.

I'd suggest that if you are having problems with trust and your admins, you have more serious problems to deal with.

Good point - and one that is often neglected or left out.

Thanks for replying guys and for pointing me down other avenues in terms of mitigating my security concerns. Highly appreciated.

//UlfThomas

efa-project.org

Protect privacy

Protect privacy

Re: Protect privacy

Re: Protect privacy

Re: Protect privacy

Re: Protect privacy

Re: Protect privacy

Re: Protect privacy

Re: Protect privacy