How can I disable ZeXtras "View mail" button for everyone admin?

[Oleh]

According to the policy of our organization, a function such as a "View mail" should not be available to anyone, including global administrators.

I was able to turn off the "View mail" removing zimlet "com_zimbra_viewmail" from Zimbra. But after installing ZeXtras, "View mail" has been available again.
I know that this function was added in ZeXtras v.1.6.0, but I have not found a way to turn off the ZeXtras "View mail" button by CL or WEB.

If I don't turn off ZeXtras "View mail" button, unfortunately, we won't be able to use ZeXtras.

Please help solve the problem.


zextras_version 1.8.7
zextras_target 8.0.4
zextras_lib_version 1.0.0

[Cine]

Hello Oleh,
welcome to the forums!

There is no built-in way to disable ZeXtras Suite's "View Mail" button, I suggest you to open an "Enhancement" request on the ZeXtras Bugzilla to let the R&D and devs know that you are interested in this possibility.

Have a nice day,
Cine
the ZeXtras Team

[Oleh]

Hello Cine,
Thanks for the reply!

[Cine]

No problem Oleh!
I had a quick talk with the R&D team and they said they might consider to add a CLI "switch" for the View Mail feature.


Now, allow me a personal consideration, I'm a sysadmin that often likes to play the role of the devil's attorney

While I perfectly understand and agree that features like Zimbra's View Mail must be only available for a VERY restricted amount of people (e.g. ZeXtras Admin allows you to disable this feature for Delegated Admins), and that every single login must be logged and trackable, I can't see how completely disable such feature can be of any help.
I mean, you seriously hinder the ability of your IT department to provide support to the end users while not really improving the security on the server: any Global Administrator can install/enable the com_zimbra_viewmail zimlet, anyone with root access to the machine has - obviously - access to all data in the server, and any console user with enough privileges to run the zmmailbox command can enter any mailbox via the Zimbra CLI through the "-z" option.

Again, this is my persional opinion and it's not about the specific case, I'd just like to hear the opinion of other members of the community since the vast majority of us is either a Zimbra sysadmin or an IT professional.

Have a nice day,
Cine

[Oleh]

Hallo Cine,
unfortunately it was impossible to write back before.

Generally I agree with You that the disability of "View Mail" does not guarantee full protection of mail boxes, however:
- protects against spontaneous interest in Global Administrator;
- for the planned intrusion it will need much more action than right clicking of the mouse on the user account, especially if all the processes, and admins login/logout to Zimbra server, logged by an external monitoring system for suspicious activity (eg, the appearance of com_zimbra_viewmail in /opt/zimbra/zimlets-deployed/) immediately notifies some responsible persons through SMS, Jabber and Mail.

In general, I see no practical need for such a tool as a "View Mail", at least in our organization. If there is a need to gain access to nearly employee, I'll authorize the password reset of his account, in this case, the user will know that his mails is read. In my opinion, "View Mail" is useful for those who need access to mailboxes without the knowledge of their owners.

[starex]

Sorry for posting to an ancient thread but, there may be admins who still want to deny "View Mail" right for an account or domain. Apparently Zextras View Mail can't be disabled but if you deny adminLoginAs per account or per domain using zmprov, admin won't view mail even if the "View Mail" is still available.

To deny adminLoginAs to a domain admin for an account type as zimbra user:

Code:

zmprov grr account dontviewmymail@example.com usr domainadmin@example.com -adminLoginAs

To deny adminLoginAs to a domain admin for entire domian type as zimbra user:

Code:

zmprov grr domain example.com usr domainadmin@example.com -adminLoginAs

To grant the right use + instead of -

Cheers

[Cine]

Hello Starex!

This feature has actually been added to the software in Zextras Suite 1.8.13

Code:

A new ZxAdmin property, ZxAdmin_ViewMailEnabled, has been added in order to allow global administrators to disable ZeXtras Suite's "View Mail" feature for both Global and Delegated Admins alike (original RFE filed by "Oleh" at http://bugzilla.zextras.com/show_bug.cgi?id=82

(using this on NE right now won't hide the button, but it will be ineffective: we're working on a fix which will be likely released in version 2.4.1)

Have a nice day,
Cine
the Zextras Team

[starex]

Wow, i didn't know that, thank you. But this may be of help for folks who are running Zextras Trial.

Hello Starex!

This feature has actually been added to the software in Zextras Suite 1.8.13

Code:

A new ZxAdmin property, ZxAdmin_ViewMailEnabled, has been added in order to allow global administrators to disable ZeXtras Suite's "View Mail" feature for both Global and Delegated Admins alike (original RFE filed by "Oleh" at http://bugzilla.zextras.com/show_bug.cgi?id=82

(using this on NE right now won't hide the button, but it will be ineffective: we're working on a fix which will be likely released in version 2.4.1)

Have a nice day,
Cine
the Zextras Team