2
Admin controls on forwarding
Idea shared by Douglas Foster - 7/29/2024 at 1:46 PM
Proposed
Many systems allow any user to create a forwarding rule without any administrative oversight.   Lack of control can create multiple problems:
  • A data entry error may direct messages to a non-existent account.   The user will lose all of his messages until the problem is corrected.   If rejected message status is relayed back to the originator, the user may be permanently unsubscribed from information feeds that he values.
  • A data entry error may direct messages to an incorrect account.   The user loses his messages and the unfortunate recipient is buried in unwanted messages.   His response to the unwanted message stream may lead to the server being blocked.
  • The forwarding destination may create regulatory violations, if the forwarded environment does not provide the privacy controls required by law or regulation applied to the domain owner organization.
  • The forwarding destination may violate company policies intended to protect against release of company-confidential information.
  • The forwarding destination may be a malicious act by an insider threat to release information to unauthorized entities.
To prevent these errors, forwarding should be subject to administrative controls.   Forwarding requests should require an email from the recipient account, confirming that the forward intent is acceptable.  This also allows organizational policy to be reviewed prior to the forward being approved and configured by a system administrator.

SmarterTools provides an all-or-nothing approach to this problem.   An installation can be configured to allow anyone to forward, or to prohibit everyone from forwarding.    It is possible, with difficulty, to configure the equivalent of a forward when forwarding is disabled, but the process is complicated:
To forward from user1@domain1 to user2@domain2:
  • Rename user1@domain1 to user1old@domain1
  • Create an alias user1@domain1 with user2@domain2 as the destination.
  • For email history, either configure the user with access to the user1old account, or migrate data from user1old@domain1 to user2@domain2.
It would be preferable to have additional options so that forwarding setup could be authorized to domain admins and system admins only, or to system admins only. 

2 Replies

Reply to Thread
0
+1
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Reply to Thread