Do you know any freeware software that I can install on our computers in order to silent log (to a folder, or forward to another email address) all received / sent email from that computer? The idea is to store all email into a folder and then parse the data to a archive.
I want to monitor POP3 and SMTP (since webmail is prohibited).
Best regards, Mike.
Update:
- I want to install it on the clients (Windows XP Professional)
If the machines are all on one network, you're much better off doing it from a network tap. Why?
Etc.
Using tcpdump to capture port 25/110/etc and then doing some post processing won't be hard at all.
This is a function of your MTA. Almost all MTAs have a BCC function that will either forward copies or send emails of every email that passes through the system in question. Combine this with additional filtering and you have a basic audit system. The only time this doesn't work is when email is sent via direct connection (firewall NAT, proxy, etc.) to someone else's mail server.
Even if there isn't a MTA to be controlled, you can also find email clients that will send BCC to another address as part of its function. And there are usually local cached copies of email folders that can be retrieved and examined on the employee's computer.
Before you head out to do this, you will want to check the legality of this in your country and jurisdiction, as in some locations this is patently illegal and can result in rather nasty charges against you. Even in the USA, where data networks are pretty much the property of the employer and are controlled fiercely by them, there are still some states that require disclosure to employees that their activities can and will be monitored. Failing to disclose this usually doesn't result in criminal charges but can land you in a whopper of a civil suit for big $$$. Even though the data network belongs to the employer (and is treated as their property to be used as they like) there are cases where you can have invasion of the employee's privacy, and that's a path you don't want to go down without good reason. Consider this action carefully before you proceed.
If you end up in jail or a civil suit, well, you were warned. I'm not responsible for the results.
It sounds like you're trying to either (a) overengineer this, (b) get by on "the cheap", or (c) do something nasty to people who don't realize their traffic is being logged.
I seriously doubt that you're going to find an off-the-shelf solution for what you're looking for. Any commercial offering is going to be targeted at deployment at network choke-points, not at the edges of the network as you're describing. (You're looking, basically, for a distributed "Carnivore" email tap system.)
At a choke point, something like the "smtp-gated" proxy (see http://smtp-proxy.klolik.org/) could be used to log email messages (probably thru shimming its virus scanning interface). There's probably something suitably similiar for POP3, but I'm not coming up with anything. If you don't want to do it transparently then that opens up a lot more possibilities.
You could contract with a coder to write some client-side SMTP and POP3 proxy shims to do what you're looking for. To do it transparently would involve some fairly low-level mucking about in the network driver stack. To do it visibly, you'd just point your outgoing SMTP and POP3 at "localhost" and configure the proxy software with the appropriate POP3 and SMTP servers to connect to when connections come in to localhost. The local proxies would implement a POP3 and SMTP state machine that allowed for the capture of messages traversing the proxy.
If this is all being done for a single domain you might consider just signing up for email archiving services from somebody like Google Postini (http://www.google.com/postini/) and routing all your incoming and outgoing mail thru them, where it will be archived.
Requirements
Sounds as if your target machines may be mobile, requiring the host based solution?
Archiving Email
Any mail server should be able to solve your archiving requirements (i.e. at least allow direction of carbon copy of email to some other internal mailbox.) For a Windows LAN there's plenty of Freeish Mail Servers and something like hMailserver might be able to server your needs. Bill Weiss has pointed out Postfix.
For a smallish network of 3 ~ 5 users (where you may not have control of your mail server) using a hosted service such as Gmail / Google Apps for business will give you your archiving requirements, with the flexibility that people can be connecting from anywhere. But it does come with a cost. Postini has a minimum of 100 users.
on Workstations
As pointed out by Avery Pain this is normally a 'feature' of your mail client (MTA.) For freeish clients, such as Mozilla Thunderbird this can be done with something like:
But you know that users can change this. You could have a 'service' to checks the above settings and reverts to appropriate setting if changed ?
Encrypted Mail Traffic
If any of your workers use their Windows XP Pro machines outside the office, you should require that their mail be encrypted between the mail client and mail server. If you don't host your own mail server on your premises, you should at minimum require mail traffic be encrypted. Hosted services such as Gmail do this by default (both pop and smtp.)
Encrypted Mail Traffic definitely makes the 'listen in/monitor' concept a lot more challenging. Just watching traffic/dumping it to a file and reading it later (such as tcpdump) will result in beautifully encrypted data in your archives.
Value Proposition
Depending on how much/difficult it is to install a mail server on the premises (i.e. will it require a new machine, licenses etc.) it may be the most cost effective solution is to go for a hosted service which can be something like USD$10.00/month (Google) or USD$20 ~$50 /a year (pobox.com) an account. That's an annual cost as low as USD$200.00 a year to get all your archiving requirements!!
If you are providing the archiving service as part of a service/regulatory compliance then you may need to review the SLA with the hosting provider on privacy et. al.
If you use managed switches in your environment, you could use the port mirroring feature of your switch to capture all the traffic generated by that computer using a sniffer like Wireshark. You could limit the input capture to SMTP or POP3 and it would capture all the data transmitted over those ports.
If you are looking for something to install on the computer, look at products like Sonar which can do what you're looking for.
I would suggest that the simplest way by far is to set up a proxy for both protocols and configure it to save a copy of every message. I don't know of a suitable product but am sure there are a number available.
If you install an application on each workstation you'll simply be creating a lot more work for yourself, with questionable results.