Disable to open or copy mails in the mail.box 
Use this IdeaSpace to post ideas about Domino Server.

: -38
: 0
: 38
: Domino Server / Security
: mail, disable, mail.box
: Marius Jaeger2466 17 Dec 2009
: / Email
Any domino administrator can open mails in the mail.box or can copy mails from the mail.box into an other database.
It is not necessary for any administrator to do this.
So disable open documents and copy documents in the mail.box.

1) Craig Wiseman24988 (17 Dec 2009)
From an admin perspective, this is so massively useful in troubleshooting that I can't click the Demote button hard enough.

That's what the ACL on the mail.box(es) is for.

Darn it, guess I need a new mouse. Apparently I CAN click the demote button hard enough.....
2) Peter Presnell28487 (17 Dec 2009)
Craig is right, the ACL should provide the necessary protection without inventing additional functionality.

I would also like to point out that a primary role of Administrators is to keep the mail flowing in an organization. At the end of the day you need to trust someone to do that job. Almost every administrator has rights to edit server documents and hence can give themselves Full Access Administrations rights even if they don't already have it. Most already do, which means they can read any mail file and generate any e-mail message they want even without the need to access the Mail.Box directly. I think its implicit that we must trust that Administrators are doing the right thing by your company. If you have sensitive mail you don't want someone else to be reading Encrypting the e-mail is perhaps the only way to ensure privacy.
3) Gregg Eldred8655 (17 Dec 2009)
I agree with Craig and Peter's argument. I've demoted this.
4) Marius Jaeger2466 (17 Dec 2009)
For troubleshooting you never must read the body and attachments of a mail in the mail.box.

Encrypting sensitive mails isn't the solution when you want that the routing is secure for any mails.
5) Craig Wiseman24988 (17 Dec 2009)
@4 There have been hundreds of times when I cut/copied email from one server's mail box to another's in order to assist in troubleshooting mail delivery issues.

The act of cutting/copying the email to the clipboard makes it possible to paste it anywhere, including a mail file for review. Encrypting the mail does stop this use.

Hire trust-worthy folks, and properly secure your environment from untrustworthy ones. Basic security.....
6) Rob Goudvis8695 (18 Dec 2009)
I agree with those who state that the ACL should handle this.

But I understand the thoughts behind this Idea. I have worked in an organization where there were over 40 people with full admin rights to the whole system. That is of course far more than required.
7) Marius Jaeger2466 (18 Dec 2009)
@5 I see, you need the possibility to copy mails form one mail.box into other an other mail.box

Would it be a solution when we encrypt the notes network trafik, that the mails in the mail.box are automatically encrypted by the router task.

When the router task store the mail into an other database it should decrypt the mail.
8) Craig Wiseman24988 (18 Dec 2009)
@7 - I understand the situation you've outlined, and it's hard to deal with it. It's essentially a "people problem" we're trying to solve with a technology solution.

The encryption idea is a start, but I can think of a number of situations where that might not work as we'd like.

Shining a bright light is a useful way to deal with this is. Perhaps via much more detailed logging of admin access to the mail.boxes. If every time you read/copied an email from the mail.box logged an entry like
"12/15/2009 03:43:32 AM Bob Evilman read/copied a message from mail1.box FROM Bill Boss, subject 'Employee Reviews'"
that might cut down on any inappropriate activity, without restricting valid admin uses.
9) Marius Jaeger2466 (21 Dec 2009)
I work in a cluster of different companys with hundreds of domino servers.
The servers are administrated from the companys itself on different locations.

Only what we want is a secure mail routing without mail encryption.

There are many reasons why we can't use mail encryption.
For example: We can't scanning encrypted attachment for viruses.


Welcome to IdeaJam

You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.

Use IdeaJam to:

  • Collect ideas from employees
  • Solicit feedback and suggestions from employees and customers
  • Run innovation contests and competitions
  • Validate concepts
  • Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top

IdeaJam™ works with:

  • IBM Connections
  • IBM Lotus Quickr
  • Blogs and Wikis
  • Websphere Portal
  • Microsoft Sharepoint
  • and other applications.

IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.

Learn more about IdeaJam >>

Use more customization features in ND9 NotesMail
Option to make integrated Sametime Client Notes Location aware?

IdeaJam developed by

Elguji Software Logo