Option for Enabling access to email archives
Idea shared by Gene Salvatore - 10/18/2014 at 2:28 PM
Proposed
An option to enable *access* to email archives for specific domains would be a great new feature.
 
The main problem we experience with email archiving for a domain is that any user specified as a domain admin has access to email for all users of the domain. This can present a security issue that can currently only be defined by a written policy a company may have.
 
ie: the IT department or office manager that "manages" the SmarterMail account as the domain admin for a company can also read the CEO's email without their knowledge.
 
This poses a dilemma with clients we work with that want, or require, email archiving and typically ends up with our support team having to manage the domain for these clients. This places unnecessary extra support on our team and removes necessary day to day features/functionality a client needs to self-manage their service with us.
 
What I propose is either:
 
- making email archives *only* available, if enabled by the server admin, to the user that is defined as the primary domain administrator
 
- adding a new checkbox in user settings to allow a domain administrator to define other users that are allowed access to email archives.
 
The first option, I would assume, would be the easiest to implement. With this option I could foresee our team managing/controlling the primary administrator account. Then we could define add'l domain admins that have access to all the other functionality a domain level admin has.

2 Replies

Reply to Thread
0
This is a mute point. The Domain Admin can gain access to any account on the domain simply by resetting the password.

I highly suggest you make it simple for yourself and either provide Domain Admin access or charge to manage their account.

Plus, I would think that a company would rather have one of their own access the CEO's email, than have you be able to access their CEO's email.
0
Hi Richard,

Thanks for your comment, and yes I understand that a domain admin can reset any other users passwords. But doing that wouldn't be a transparent way for the domain admin to read another users email. If domain admins had the ability to read users passwords like system admins do, then I would say my request is a moot point as a password could be changed then changed back.

With the functionality of the email archives search, any domain admin can read all the companies email without anyone else knowing.

I'm just relating real world experience and an issue that we run into with the archive feature. I'd be highly surprised if we were the only one's that have ever run across this issue.

>>Plus, I would think that a company would rather have one of their own access the CEO's email, than have you be able to access their CEO's email.

This is not necessarily a fair/true statement. Whether a domain has archiving enabled or not, our team (as the service provider) always has access to read anyone's email on the server, as you know. As the service provider we hold ourselves to a higher standard and have written policies in place that define access to customers email. In addition we have NDA's in place with many of our customers that clearly define access to things like email, databases, etc.

Yes, in addition to being enforced by strategic user rights, this is also written policy on our end, that any of our clients could/should/may have in place as well, but the likelihood of our team inappropriately reading clients email AND acting on emails they read is much smaller than a mail domain admin inappropriately reading emails about the company they directly work for.

The only workarounds for this right now are:

1. Do not grant access to any users in a domain, mail domain admin rights. This is not a great option as it removes domain level functionality for a user(s). The account owner/manager cannot manage aliases, new account creation/deletion, password changes, domain level trusted senders, view domain reports, etc

2. Enable archiving of ALL domains on the server. Yes we do this already but we keep these archives for a short period of time - typically a few months, before rotating the oldest ones out. The problem with this is that we can't separate out the archives for domains that want archiving and every few months, the oldest archives are deleted. It's just not our strategy to keep years of email archives for all domains on the server, versus just keeping years of archives for domains that want or require it.

Reply to Thread