SV: Looking for a guide to collect all e-mail from the ISP mail server

Tue Oct 27 18:03:54 EET 2020

>>EU have very strict laws on the security of email and the requirement to
keep it archived and to ensure the data cannot get out. 

No.
GDPR is very organization-specific, meaning that a small organization or
non-profit with 5 employees, don't need the same security as a 100 employee
multi-million dollar organization.

They were going to require small companies and even private persons
processing data outside of the "personal space" limitation, to have the same
sort of physical and digital security as any multi-billion dollar
corporation, and require those that cannot cash up for such security, to
only use hosted cloud services and rented centrally-managed computers
without any own IT department.

Of course, they dropped that idea, because it was not fair against small
companies. They changed the ruling so the amount of security you need, is
dependant on how much people is at risk if the emails leak, and what type of
content the email has (if it has sensitive data, requirements are higher).

But also, export of data to third-world countries is not permitted at all,
regardless of organization size, due to the data losing legal protection (if
someone outside EU leaks the data, you cannot hold someone responsible),
unless specific requirements are met.

This means, a somewhat maintained mail server, physically located at a
company, is much better than using a hosted cloud service, as the cloud
services usually take extra payment to keep the data inside EU.

Same with the rulings on security bulletins - if you have a multi-billion
dollar company then you are expected to apply security fixes and patches,
even on a Saturday night. They are obliged by EU law to have alarms that
wake them up on any major security bulletin regarding any of the server
software.

For a small non-profit or family company - its OK to wait until business
hours with that - if that leads to the server being hacked - its okay. You
did what you could. Novody expects you to be available 24/7 to patch 0-days.

So its totally dependand on what type of organization you run, and the size
- that govern how much security you need.

And no, you don't need an UPS or backuped ISP connections, unless you run
something mission critical. Most mailservers will queue mails for several
days, so if your mailserver disappear for 1-2 days, it don't matter.
The "availability" requirements of GDPR only applies to society-cricical
services where it can actually cause harm to end-users if a service is down.

If its just a small non-profit with 5 employees, GDPR is not gonna care
because the email server was down for a day or two.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201027/af08eb1a/attachment-0001.p7s>