How can we save all email traffic and other things from clients (e-evidence law)

[Richard G]

In the EU we have a new law called E-Evidence Regulation and Directive.
The Regulation lays down the rules under which an authority of a Member State, in criminal proceedings, may issue a European Production Order or a European Preservation Order and thereby (directly) order a service provider offering services in the Union and established in another Member State, or, if not established, represented by a legal representative in another Member State, to produce or to preserve electronic evidence regardless of the location of the data.

This is also appyable to all hosters and registrars too including ZZP business (as we call them in Dutch).

In short, when requested, we are required (mostly within 24 hours but in certain cases within 8 hours) to keep logs of all activity including e-mail traffic (incoming and outgoing) and content if I understood correctly, of an account/domain, when legally requested from a country within the EU.

This concerns digital data such as emails, text messages and traffic data, which are used to investigate and prosecute criminal offences.

They start in march 2026 implementing and it will be in effect for everybody august 1st 2026.

Maybe some Dutch collegues @Active8 @Driesp or others, already had the letter from the Ministery as I did the day before yesterday and have a clue on how something like this can more ore less easily be build in or activated or have ideas on how to implement something like that so these kind of things can all be started/saved once asked for by legal action.

 

[Ohm J]

For the webserver logging, "logs_history_as_nobody" and "logs_to_keep_days" can combined to ensure to keep the logs and prevent deleted from the user.

and keep the backup even user has been removed for 180 days.

============
So the evildent can remove by user if missing "nobody" permission.

 

[DrWizzle]

Watching this thread with interest.......

 

[ccto]

For Apache log, if possible, it'd better to change the naming convention
from
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.1
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.2
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.3
to
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251118
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251119
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251120

It is much efficient for incremental backup (to save multiple copies, e.g. 30, 60, 180 days copies)

For the webserver logging, "logs_history_as_nobody" and "logs_to_keep_days" can combined to ensure to keep the logs and prevent deleted from the user.

and keep the backup even user has been removed for 180 days.

============
So the evildent can remove by user if missing "nobody" permission.

 

[Ohm J]

"logs_to_keep_days", this option will ensure if you manual tally the logs, it's still keep the logs and not replace on the same day.

so you can start tally, export user via admin backup, export email logs in "/var/log/exim/" , "/var/log/mail*".

 

[Richard G]

Well the apache logs are not the most interesting as they are the easiest to save, that is not really a problem. It might also be the least interesting as this is visiting logs, not really something the user might be doing themselves.

But the exim mainlog and maillog doe not contain any mails. If you check these files, you only see traffic and titel, no content so that is not enough.

So what I'm most interested in, is thinks like real (so full) incoming and outgoing mail. I guess that would mean making realtime copy's of the mail folders like the IMAP folder and/or Maildir folder.
Also other things which will be required like chat logs for example. Because some forums and sites have chat addons, but it's going to be tricky to be able to get content from that.

Because the main difficulty will not be the connection logs, we already have these and can easily be copied or extended like already mentioned in this thraed but it's possible content like e-mail but also other things.
Which might for example be options to make realtime copies of all e-main incoming and outgoing and probably database content.
Database content can also be created by making regular backups via cron for example.

But I'm wondering how other EU collegues are looking at these new regulations and how they think they will and can provide tools to obey these rules once active. Which is by the way August 18th 2026.

So thank you for these answers, but that are the default easy logs I already kow about.
I'm also very interested in other EU (hopefully also Dutch) collegue's how they think about hit law and how they think to implement things and if they also already got this letter from the Department of Justice.