Mails in plaintext stored

a stupid question maybe.
All mails are stored in /var/lib/nethserver/vmail unencrypted and accessible to admins again.
I am not comfortable with this. I don’t want to have access to other people’s mails and be suspected as an admin.

  1. is this a normal situation with all mail providers, on all mail servers?
  2. is there a way to encrypt the vmail-subdirectory?

Best regards, Marko

AFAIK, this setup is quite common.
However, mail storage can be encrypted (search dovecot mail crypt).

Given that every NethServer installation is targeted to a SME (i.e it’s not built for an ISP), I think that the sys admin would need to be able to read emails, sometimes. And, in corporate usage, emails are a “property” of the company. The end user can use encryption on the client.

And I fear that the potential to loose all emails is to big, think about loosing the encryption key.


However, this potentially gives the admin access to business secrets that are none of his business.
For compliance reasons, this should not be the case even in medium-sized companies. An admin cannot be exempted from the need-to-know principle.

I see it even more critical when such systems are left to external service providers in SME.

In addition, administrators should be protected from the unjustified suspicion that they have access to information that is none of their business. This is easiest to do when they have no opportunity to do so.

There should also never be a regular need for administrators to view other people’s mail if there is a separate mail archive for each user.

The exceptional viewing of other people’s mails in individual cases should only be possible after an orderly approval process and should be well documented, e.g. in the 4-eyes principle.

this setup is quite common.

I am honestly shocked.

1 Like

I believe you would try to resolve this via policy, auditing and access control. If for example you have a business segment or regulatory requirements to comply with wouldn’t you adjust your software selection and modifications appropriately. To me Nethserver may not fit the higher end target audience you are describing in this scenario.

respectfully, I totally disagree.
Even if it’s just a privately used server, no admin has the God-given right to read anyone’s mail.
And just because it has always been that way is not a justification that it is so right.

I don’t want to leave any doubt: This is not something I blame on Nethserver and its creators, but apparently the standards in IT are so low that one can only wonder.
I don’t want to start a fight or get indignant here.

Besides: Policies, audits and other organizational precautions are only as good as everyone sticks to them.
Misuse is not really preventable, especially since the accesses of root to the vmail directory are not logged, at least that would be a small step towards compliance.

I find one hint interesting: Access Control.
Can access to directories be designed in such a way that access is only possible if two people have to enter their secure key in parallel in order to access a directory?
And could accesses at least be logged?

Best regards, Marko

1 Like

But it’s trivial to imagine situations where someone needs to view someone else’s mail. Here are just a few scenarios that come to mind:

  • An employee is suspected of misconduct
  • An employee leaves, perhaps unexpectedly
  • An employee is taken ill for an extended time

I’m sure, with a few moments’ thought, you can think of others. Employees should never be under the belief that an employer-provided email system (or really, information system of any kind) is private, absent some explicit guarantee (and even then, they’d be wise to not trust it). After all, it belongs to the employer, not to them.

So on the one hand, employees shouldn’t be under any belief that their company email is their own private system; and on the other hand, there are easily-imaginable situations in which others in the company have a legitimate need to know the contents of their emails. And in the latter cases, it’s by far simplest if it’s the system admin who has that access. That of course makes the system admin a sensitive position in the company–the company needs to account for that.

I’m surprised that you’re shocked, but I’m not sure how important either of our feelings are on this subject. Keep in mind that large-scale encryption is a relatively new thing–it hasn’t been that long ago that it would have been too computationally expensive to encrypt everything. We’re certainly past that today, but inertia is a powerful force.

NB: The same thing is true of Nextcloud by default, and pretty much of any other data stored on the server.



Hi Dan

I do - as old school Admin - fully agree.
Disaster recovery, Bookkeeper in car accident, and more are absolutely valid reasons…

But German law is a bit stiff…

As System Admin, you’re not allowed to even remove mail (That includes spam) from a users mailbox!). Much less read it!

They overtook reality! :frowning:

True, European and American positions on privacy differ a lot (Like light years away…), but even with Facebook overdoing non-Privacy, Americans don’t quite see the light of privacy issues!

And Secure Systems are only possible Internally, as soon as anything leaves the mail system as SMTP / Internet Mail - anyone can read it. A lot already do, NSA, Russians, Chinese, what have you…

Large Institutions have often a heavy internal mail communication, a lot very confidential. There are systems which can handle this (No, Exchange is NOT one of them!), as long as the communication stays within the system. The system can be available on all continents…

One such System is GroupWise (ex Novell, now NetFocus), and probably the reason it’s still around. GroupWise has encrypted storage, even the eDirectory Admin can’t change anything to read the mail without the user knowing. The only way is to make mail leave the system as SMTP - and place a smarthost with hidden BCC function…
Groupwise has a lot of government clients, in several continents, for that very reason.

My 2 cents


Hi Dan,
I can understand the point of view, and often the easy and convenient way is to use the admin rights for this.
But for me, all these and other conceivable use cases fall under the heading: access in a regulated procedure, not just in passing by the administrator because he can (I exaggerate).

I can only think of one case where such accesses should be made unnoticed and without the knowledge of the person concerned: Investigations in case of suspicion of a crime.
And no employer does that just like that.

In our country, access by the employer is not permitted without further ado. And even with private mail servers, I would have considerable doubts about granting the administrator such rights as a matter of course. Should the husband be able to see the entire Whatsapp communication of his wife as a matter of course? Of course not. But why don’t we have any concerns when it comes to administrators?

I’m not really surprised that MS handles such issues sloppily, but MS would not be a benchmark for me either.

Wouldn’t it be a desirable USP for Nethserver to offer privacy and compliance on a different level?

Of course, I can easily suggest this, since I have no idea what consequences and what effort this would entail - sorry for that.

Sincerley, Marko


This sounds great in principle, but how would it be implemented–in particular, by open-source software? If you have data that you want someone to not read, there are two ways to go about it:

  • File permissions
  • Encryption

File permissions are irrelevant to root, who can read/write anything on the server. So it would have to be by way of encryption. That, first, means that each user has an encryption key that needs to be managed, stored safely, and kept off the server (else root would be able to decrypt and read the email). And if we agree that there are circumstances where someone else may need to read that email, that means there has to be an additional key (or key pair), that key must be used to encrypt all email, and that key also can’t be stored on the server. So who does have that key? Whoever it is, they’re going to have the same access you’re concerned about.

OK, can we use multiple keys, such that two people have to agree in order to decrypt something? I believe this is technically possible, but now we’re making things exponentially more complicated.

Respectfully, I think you’re looking at this backward. The proper question, IMO, is not whether we should grant the admin certain rights–the admin, for all intents and purposes, owns the machine. It is assumed that the admin has full access to anything on the machine–that’s the norm with any Unix-y OS. To limit that access is sometimes possible, but it always takes additional, deliberate work. The question should rather be the ways in which we should limit the admin, and how we can accomplish that.

I’m certainly not saying your position is without merit, but I expect it would be very involved to implement.


Also a VERY important point:

The mailserver must at least have authenticated access to those encryption keys when starting.
Gathering 100 people just to enter their Passkey is not always feasible, in this corona times?

Or do we just use solarwinds.123? :slight_smile:

My 2 cents

1 Like

This is what I feared, without really being able to judge the technical consequences. Therefore, I cannot make any suggestions as to how it could work. But every step in this direction would be useful and would increase the value of Nethserver.

Sincerely, Marko

Hi Capote, I tend to agree with you 100% on a philosophical level and in a perfect world this is how it would be. I tend to think of this in similar terms to medical professionals who are subject to HIPAA requirements.


But I have not yet heard a single argument that the world must remain as imperfect as it is.
And every improvement starts with the realization that the status quo is not the perfect state and is always connected with a change of the mind set.

Conversely, I have not yet heard a single argument that an admin should not have complete control over, and use of, whatever is on his server.

Point for your view: if an administrative account do not fully access the system it’s not useful for administer it (separate considerations for reading user data are necessary)
Point against your view: often, the server is not property of the sysadmin, but of the owner of the company or of the company itself. So sometimes being a sysadmin is most a… assignment.

As a concept i tend to agree with @capote: it’s not admin concern what users have on their directories and mailboxes. He/she should not nosepick around userdata, unless it’s requested (issues) or necessary (too much data). But this IMHO should be a way of conduct.


True–but even then, he’s been delegated the responsibility (and authority) to manage it, so it’s still “his server” in that sense. His authority is naturally limited by policy (e.g., no, just because you’re the admin, you can’t wipe it and install Windows Server), but it’s still his server to run.

I fully agree that the admin ordinarily has no business looking at user data, though that “ordinarily” covers a multitude of exceptions. Where I disagree (even disregarding the technical feasibility) is with the position that the admin shouldn’t have that ability, and should instead have to jump through regulatory hoops to do whatever he believes is necessary or appropriate with his server. I don’t believe that’s an improvement in any way, and rather than arguing in its favor, Marko is simply assuming that it’s desirable.


Hi Dan

Don’t forget, that Marko does live in Germany, and is subject to German laws!
And some just are a bit beyond reality!

And the people passing that law are probably Outlook freaks, and the Exchange Server behind them doesn’t comply with their law, but they’re not the ones willing to change!

Just like the lawmakers (In Germany!) passing laws restricting the populace and distancing, and what have you, while the celebrate a wild party at taxpayers cost in Berlin (In the Government buildings!)

My 2 cents


Sounds like the politicians here. But I’m understanding Marko’s comments to be mainly on a philosophical level, rather than advocating for compliance with particular legislation, and my response is in that vein as well (though of course, the respective legal systems we’re used to may color our philosophical positions). Philosophically, my house, my rules. If you’re using someone else’s system, you play by their rules. If you expect privacy on that system absent an explicit guarantee, you’re a fool. Yes, I’m aware that GDPR tries to change that–it’s just one of the many reasons GDPR is an ill-considered piece of legislation.

Conversely, if you want (relatively) complete control over your own data, run your own server. Neth, of course, makes that pretty easy. If you just want mail, Mailcow or Postmaster may be more your speed. But most users give no thought to privacy at all, until it bites them.

1 Like

Hi Marko,

Around 2010, I was asked to implement Centrify Direct Control (if I remember the exact software) at the Justice Department for certification of PCI-DSS for credit card payment - $200 millions/year…

This was to verify who access the server console, at what time, what he is doing, etc, (it was possible to view absolutely all the commands).

No need to restrict admin rights as it was possible to view all he did at the console. It was really a “Big Brother” for admins, impossible to hide something…

The only restriction was from M$ admins who didn’t want to implement this software, too afraid… You cannot imagine all they did to stop this implementation…



In Germany the company can advice the user to only have commercial conversations. If the company did it, they have the right without asking the user to read his mail if he is not available (for example holidays or ill)
I fully agree with @danb35, an administrator is not allowed to look at every file or read every mail, but he has look at a file or read a mail, if something is needed for the business and the user is not available.

1 Like