Legal Intercept

Purpose

Service Providers are increasingly under the legal obligation to capture any persistent state changes within a separate archive mailbox for legal intercept/discovery. For example, if a message is saved as a draft, and then deleted, this still needs to be recorded somehow in the archive mailbox as this mechanism could be used by multiple users to communicate (one writes a draft, the other reads and deletes) without necessarily having those communications ever make it into the archive mailbox.

• Legal Intercept - The ability to intercept user messages and send them to another mailbox.

• Once intercept is turned on, any time that the user sends a message, receives a message, or saves a draft, an intercept message is sent to the specified mailbox with the original message attached.

• This is different than forwarding, here a new message envelope is constructed to avoid the possibility of bounces returning to the original sender or monitored user.

(This feature is implemented in ZCS 5.0.3+)

Command Usage

To enable:

zmprov ma accountToWatch@domain.com zimbraInterceptAddress sendReportTo@domain.com

To check status:

zmprov ga accountToWatch@domain.com | grep zimbraInterceptAddress

To disable:

zmprov ma accountToWatch@domain.com zimbraInterceptAddress ''

or

zmprov ma accountToWatch@domain.com -zimbraInterceptAddress sendReportTo@domain.com

Intercept Values

zimbraInterceptAddress: intercept messages are sent to this address. When empty, lawful intercept is turned off.

zimbraInterceptSendHeadersOnly: when TRUE, only the headers are sent, not the message body.

For headers only mode (no message body) you would set:

zmprov ma accountToWatch@domain.com zimbraInterceptSendHeadersOnly TRUE

Message Composition Templates

zimbraInterceptFrom: Template used to construct the From: header of the intercept message.

zimbraInterceptSubject: Template used to construct the Subject: header of the intercept message.

zimbraInterceptBody: Template used to construct the body of the intercept message.

The default format of the body of the intercept message is currently:

Intercepted message for [user@domain.com]. 
Operation=[add message], folder=[Inbox], folder ID=[2].

Template Values

The following parameters can be passed to the from/subject/body templates:

ACCOUNT_DOMAIN - Domain of the account being intercepted.

ACCOUNT_ADDRESS - Address being intercepted.

MESSAGE_SUBJECT - Subject of the message being intercepted.

OPERATION - Operation that the user is performing ("add message", "send message", "save draft")

FOLDER_NAME - Name of the folder to which the message was saved.

FOLDER_ID - ID of the folder to which the message was saved.

NEWLINE - Used for formatting multi-line message bodies.

Notes

In 5.0.3 there's some additional manual configuration needed Bug 26471 - intercept throws NPE (solved in 5.0.5+)

(Workaround is to manually set all the 'zimbraIntercept' COS attributes else you will get an error in the Web-UI.)

For example,
zmprov mc default zimbraInterceptSendHeadersOnly FALSE
zmprov mc default zimbraInterceptFrom "Postmaster <postmaster@\${ACCOUNT_DOMAIN}>"
zmprov mc default zimbraInterceptSubject "Intercepted message for \${ACCOUNT_ADDRESS}: \${MESSAGE_SUBJECT}"
zmprov mc default zimbraInterceptBody "Intercepted message for \${ACCOUNT_ADDRESS}.\${NEWLINE}Operation=\${OPERATION}, folder=\${FOLDER_NAME}, folder ID=\${FOLDER_ID}."

Also the under construction: Bug 21761 - Legal intercept support: IM (real-time reporting vs periodic method of save in chats folder etc)

See also Zimbra Archiving & Discovery add-on which does envelope forking & included cross-mailbox search.