mailspy mail logger

Andrew McGill, andrew at mcgill.org.za

10 February 2015
mailspy is a sendmail milter program (mail filter). For each mail that is filtered, the the sender, recipient, subject line and attachment names are logged. Complete mail headers can be logged.

1. Introduction

mailspy is a sendmail milter program (mail filter). For each mail that is filtered, the the sender, recipient, subject line and attachment names are logged.

mail headers can be logged to a file.

mailspy can also pipe messages to a process. You can use procmail to archive selected message headers or bodies. If you can concieve of something else useful that you can do with a stream of message headers and bodies, you can do that too.

2. Installation

Check that you have MILTER support in your distribution of sendmail otherwise, obtain a version of sendmail with milter support. You should have something like this.

foo:~ $ sendmail -d < /dev/null | grep -A5 "Compiled"
 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
                MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
                NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS
                USERDB USE_LDAP_INIT

The main targets for the make file are:

make all

Compile C source to executable. Requires sendmail libmilter header files and libraries.

make install

Install files in /usr/local/bin. You can set the DESTDIR variable if you want to install files in a different root directory.

make start

Try to mangle your /etc/mail/linux.mc (m4 source file) into /etc/sendmail.cf and start mailspy. This appends mailspy filter rules to /etc/mail/linux.mc and run it through m4 to produce /etc/sendmail.cf. Also installs and creates links in /etc/init.d and /etc/init.d/rc3.d.

make dist

Make distribution in tar.gz format. You'll need linuxdoc and friends.

If make start doesn't do it for you on your system, you might be using something other than SuSE Linux 7.2 / 7.3. Send me a patch that makes it work for your system, and I'll see what I can do. make install installs the binaries, but does not configure sendmail to use the filter, and does not create links in /etc/init.d to make sure that the program works.

If you don't have sendmail libraries and header files installed, you are going to struggle just a little. You will have to install sendmail-devel (d4 series on SuSE 8.0) in order for this to work. If you are using sendmail-8.11 or so, you will need to uncomment -lsfio in the Makefile (sorry).

The program installs in /usr/local/bin by default (and you can't change this either). The default mailspy startup file listens on a unix socket /var/run/mailspy/milter and logs mail details to /var/log/mailspy. If you want to log mail headers, you have to specify a log file yourself.

The program appends to the end of the log files. To rotate the log files there is a program called cronspy.sh which should do the trick, and which should be runnable as a user `mailspy', although this has never really been established.

3. Usage

The usage for mailspy is:

./mailspy -p socket [-f logfile] [-h headerlog] [-P pipe-msg-to-cmd]
The items are:
-p /var/run/mailspy/milter

The socket specifies how mailspy connects to the sendmail process it is spying on, you can specify a unix socket (a named pipe) or an IPV4 or IPV6 socket.

-f /var/log/mailspy

The log file records messages in terms of the envelope sender and recipient, and also the subject and attachment names. The particular log format is only understood by htmlspy.pl.

-h /var/log/mailspy-headers

If you want to log only headers of each message, then this is one way to do it.

-P procmail

All mail can be piped to a process. If mailspy is running as the user `mailspy', then the contents of ~mailspy/.procmailrc will determine what happens with each message. Using procmail rules you can archive messages, forward selected messages to arbitary recipients, and do any amount of interesting things. Note: If the process fails to handle the message, the error is ignored.

If you use procmail delivery together with a global /etc/procmailrc, you may find that procmail does not deliver the mail quickly enough, and you get sporadic 451 message failures. This happens if you use the anomy sanitizer from procmail. The solution is not to do this.

4. Questions (without answers)

Coming soon to this paragraph (erm), answers to your questions --

5. Legal issues

Does your company, country, state, municipality or local mafia boss permit the logging of e-mail? Do you have to notify people that their e-mail is being logged? Does logging the e-mail imply a responsibilty on you to read the log? It turns out I don't know.

No statement is made about the legal implications of using this program (except for this statement, which says there is nothing to say). If you need to know, consult a real live legal practitioner. I am not a lawyer. (And the chances are there is some really great page out there with all of this information for all countries...)

Another thing -- this program is licenced under the GNU General Public License.