Preventing admin from reading certain mailboxes

[koi-bito]

We'd like to know if there's a way to prevent the Zimbra admin from reading certain mail accounts of senior management, as their mailboxes will contain certain confidential material.

Is there a way to do this? Many thanks in advance.

[Klug]

No.

Anyway the messages are written on the server's harddrive in a readable format...

[jholder]

You run into the "who polices the police" problem.

I'm sure you could file a bug enhancement request for this feature, but anyone with root access can see the eml files anyway.

You could set up a cron job to mail, rsync, or sftp the audit.log to someone. . .Allthough the log itself is still open to tampering.

[nxnw]

You could use an email client (thunderbird, outlook (I assume), apple mail) that supports s/mime encryption. I assume that this is not yet supported by the zimbra web interface.

Each person in the secure group would need certificates and public/private keys, which can be obtained from a certificate authority like Thawte.

You will find lots of instructions if you google s/mime thawte. Add apple to the search if you are using a mac.

[schemers]

There is an outstanding bug for fine-grained admin access control, which is slated for an upcoming release.

After it is implemented, you'll be able to say at a fine-grained level what access you want an admin to have. For example, you could grant one admin access to reset passwords on certain accounts, but not change anything else, and another admin access to create domains but not change server info, etc.

You'll also be able to grant "view mail" access to an admin on only certain mailboxes. Of course, if they have physical access to the machine and/or a root/zimbra login they will still be able to access the data.