Thanks Sven, I really appreciate your considerations, especially about the encryption of the SMTP traffic.
--
I will test Mandatory Access Control (MCS), like Se-linux(YES, I know that NSA wrote it) or Apparmor for instance, and customising SUDO: http://pubs.gpaterno.com//2009/protecting-confidential-files-selinux-2009.pdf
Sorry for not being specific from the beginning, but this research is for a government e-mail system, and we really need to ensure that even administrators cannot access the messages, encrypted or not.
On 1 February 2014 07:38, Sven Schwedas <sven.schwedas@xxxxxx> wrote:
Given that a physical root can bypass any and every ACL, encrypting
messages (upon receiving, e.g.) is the only remotely plausible way to
prevent access.
And even then the admin could sniff all SMTP traffic and copy messages
before encryption, so you'd need to monitor him anyway.
Why again does someone you trust so little have root access to anything
more sensitive than a calculator? ;-)
On 2014-01-31 17:47, Fabio S. Schmidt wrote:
> Hi Dan ! Thanks for the answer !
>
> I'm trying to prevent local access from a physical administrator. Even
> if looged as root should be impossible to read the messages on the Cyrus
> partitions. Other emails stores that I have dealt with also stores the
> messages in files.
>
> Blackman and Goetz, Thanks for the reply, but my problem is that not all
> messages will be encrypted at the source. AND EVEN if the message is
> encrypted we want to prevent the access from a physical administrator.
>
>
>
> ----Mit freundlichen Grüßen, / Best Regards,
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
--
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@xxxxxx | +43 (0)680 301 7167
http://software.tao.at
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
My best regards, Fabio Soares Schmidt Linux Professional Institute - LPIC-3 Microsoft Certified Technology Specialist: Active Directory
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
