Message capture

Message capture may be desired for purposes including: archiving, lawful interception, covert or administrative monitoring, or message replay (disaster recovery). The MTA has a number of facilities that can be used to "capture" messages, taking the message "outside" the normal message processing flow; this can be useful for tasks such as: monitoring (without a user&#x27;s knowledge) the messages sent and received by the user such as for lawful interception purposes, or for making copies of messages passing through the MTA, possibly for archival purposes or to allow for possible future "message replay" as part of a disaster recovery strategy.

Note that the facilities discussed here are fundamentally different in spirit (as well as in details) from techniques such as automatically forwarding messages to an additional address---forwarding techniques that have the potential, as part of normal e-mail processing in cases of delivery problems for the "forwarded" message copy, to result in exposure of the fact of message "forwarding" or "copying" to end users, or which may, as part of normal e-mail processing in cases of group or alias expansion problems, prevent end users from being notified of certain sorts of recipient address problems even for the recipient(s) the end user did knowingly address. (That is, techniques such as adding LDAP attributes  with value    and    to user LDAP entries, or use of a    mapping table, or use of  " " Sieve actions,  or use of the   channel option to generate "clone" copies of messages to an additional destination,  are not discussed here.) Rather, the techniques discussed here are those that have as a fundamental aspect the goal of separate handling of the "captured" message copies, techniques where the fact/process of copying is invisible to the end users. Message capture is distinct from simple message forwarding.

The main techniques that the MTA provides for interception/covert/archival "capture" of messages are:



 The         mapping table, used to copy message files    from the MTA&#x27;s disk queue area. This  facility was originally designed for, and is especially well-suited    for, making short-term copies of outbound messages for possible    "message replay" (re-sending) in case of loss of messages on    the destination host(s). 

 The   LDAP "capture" user attribute,    used to capture copies    of all messages sent or received by the user (by generating    encapsulated copies of the messages and directing them to a specified    capturer address), discussed in     Capture triggered via LDAP attributes. This facility was   originally designed for, and is especially well-suited for, monitoring    of individual users&#x27; message traffic (e.g., for legal purposes    or administrative monitoring purposes). Or, by capturing such messages   in Microsoft® Exchange "envelope journaling" format, the    captured message copies may be convenient for archiving purposes; see    the (new in MS 7.0u4)         MTA option,    or (new in MS 8.0) use an LDAP tag      on the LDAP attributes named by the    MTA options      and (also new in MS 8.0). 

 (New in MS 8.0) The   LDAP "capture" domain   attribute (a    domain-level analogue of the LDAP "capture" user attribute),    used to capture copies of all messages sent or received by users in    that domain, discussed in    Capture triggered via LDAP attributes. 

 (New in MS 6.2) The   CAPTURE named parameter for aliases and    mailing lists defined in the MTA alias file    operates similarly to the    LDAP "capture" user attribute. For the syntax of the CAPTURE   named parameter for simple aliases and for groups or mailing lists, see   Alias file format and    Alias file named parameters. Nowadays MTA alias file definitions   are less commonly used than LDAP provisioning of users and lists---but    the CAPTURE named parameter is provided as an alternative that may be    convenient for sites that do make more use of the MTA alias file. In Unified Configuration, the    alias option is the equivalent of the alias  file named parameter CAPTURE. 

 (New in MS 7.2-0.01) The JOURNAL named parameter  for aliases and mailing lists defined in the MTA    alias file operates similarly to the CAPTURE   named parameter, but generates a Microsoft Exchange "envelope journaling"   format message; this format may be especially useful for archiving purposes. In Unified  Configuration, the     alias option is the equivalent. 

 The MTA&#x27;s address access mapping tables (see    Address access mapping table flags) can be    configured to trigger message capture via the   flag; and    new in MS 7.0.5, such captured messages can optionally be generated in    Microsoft Exchange "envelope journaling" format, configured    via the   flag. (Address access mapping table triggered   capture is a less commonly used feature: although it allows for greater    discrimination than a user LDAP "capture" attribute, since    for instance a mapping entry might be configured to capture only    messages from one specific sender to another specific recipient, it is    less discriminating than use of a    Sieve    " " action. So unless configuration in an    access mapping table is particularly convenient, more commonly some    other technique such as Sieve " " would be    employed.) 

 The   Sieve " "   action, used to capture    copies of messages meeting any Sieve-specifiable criteria, and    directing encapsulated copies of the messages to a specified capturer    address, discussed in    Capturing messages via   Sieve scripts. Because of Sieve flexibility,   this is especially well-suited for capturing only specific categories    of messages: messages meeting some rather specific (and Sieve    specifiable) criteria. (New in MS 6.3, messages captured via a   Sieve filter may optionally be sent without MIME encapsulation, but    with an override of the original envelope From address. This new option    for capture may be of special interest for archiving purposes, when the    simpler, unencapsulated message form may be more convenient. Or yet    another option, new in MS 7.0 update 2, is that such capture messages    may be generated in Microsoft Exchange&#x27;s "envelope    journaling" format: a multipart MIME message where the first part    contains semi-structured envelope information and the second part    contains the actual original message. "envelope journaling"    format may be more convenient for archiving purposes.) 

 (New in MS 6.3) Integration with the AXS:One archive   facility, used to generate message copies that will be archived by    AXS:One, discussed in AXS:One archive   integration. This is primarily suitable for   compliance archiving. </li>

</ul>

Note that with any of the techniques discussed below, issues of use of "captured" message copies, and potentially issues of  correlation (and elimination of "duplicate" copies of the  "same" message capt ured at different stages of processing)  may arise; it is the responsibility of sites to devise strategies  appropriate for their goals.

Note also that any "capture" of users&#x27; messages may, indeed is likely to, have legal ramifications. Sites are cautioned to obtain legal advice before beginning any use of  message capture techniques.

See also:
 * MESSAGE-SAVE-COPY mapping table
 * Capture triggered via LDAP attributes
 * Alias file named parameters
 * alias_capture Option
 * alias_journal Option
 * Capturing messages via Sieve scripts
 * Format of captured message copies
 * Archiving messages
 * ldap_delivery_option MTA Option
 * ldap_forwarding_address MTA Option
 * FORWARD mapping table
 * Sieve redirect action
 * clonehosts Option
 * The MTA