In a recent question from a searchDomino member, I addressed the issue of system administration people being able to read users' email messages. I said that, to some extent, you just had to trust system admin people.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Member Douglas Butler responded with some helpful information about how his company handles this situation. Here is what he wrote....
I have worked for two different companies as the Domino Administrator. In both cases, we turned on mail encryption on the server (in NOTES.INI in R4 and in the server configuration document in R5). In addition, we add an entry for "[Notes Administrators]" to the ACL of the mail template (eg. MAIL50.NTF) as a "Person Group" with "Manager" access, but (to prevent mistakes) no delete privileges.
The square brackets around the template ACL entry ensures that Notes Administrators will, by default, have manager access to all newly created mail files (existing mail files can easily be updated by mailing a button-based script to all users). When new users are created, either the user types in their password directly, or an administrative clerk enters a temporary one of her choosing. The clerk does not get access to the ID file, and the Administrator does not know the password. Finally, we tell all users that there is absolutely no reason to give out their Notes password.
So, now we have the following: Notes Administrators have full manager access to all user mail files, but (because of forced mail encryption) cannot read the mail; Any activity we do perform is recorded in the logs under the name of the administrator actually performing the work ? not under some ID that they also know the password to; Maintenance is much easier, because we are always working under our own IDs.
(Thanks for helping Doug!)
Dig Deeper on Domino Resources - Part 5
Related Q&A from Chuck Connell
Is it possible to encrypt a user's name before sending an email? SearchDomino.com expert Chuck Connell weighs in.continue reading
Learn how to change authentication timeout interval for Domino Web Access logins.continue reading
SearchDomino.com expert Chuck Connell provides a resource for a Lotus Notes administrator who wants to filter out email containing the word "spam," ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.