How can we save all email traffic and other things from clients (e-evidence law)

[Richard G]

In the EU we have a new law called E-Evidence Regulation and Directive.
The Regulation lays down the rules under which an authority of a Member State, in criminal proceedings, may issue a European Production Order or a European Preservation Order and thereby (directly) order a service provider offering services in the Union and established in another Member State, or, if not established, represented by a legal representative in another Member State, to produce or to preserve electronic evidence regardless of the location of the data.

This is also appyable to all hosters and registrars too including ZZP business (as we call them in Dutch).

In short, when requested, we are required (mostly within 24 hours but in certain cases within 8 hours) to keep logs of all activity including e-mail traffic (incoming and outgoing) and content if I understood correctly, of an account/domain, when legally requested from a country within the EU.

This concerns digital data such as emails, text messages and traffic data, which are used to investigate and prosecute criminal offences.

They start in march 2026 implementing and it will be in effect for everybody august 1st 2026.

Maybe some Dutch collegues @Active8 @Driesp or others, already had the letter from the Ministery as I did the day before yesterday and have a clue on how something like this can more ore less easily be build in or activated or have ideas on how to implement something like that so these kind of things can all be started/saved once asked for by legal action.

 

[Ohm J]

For the webserver logging, "logs_history_as_nobody" and "logs_to_keep_days" can combined to ensure to keep the logs and prevent deleted from the user.

and keep the backup even user has been removed for 180 days.

============
So the evildent can remove by user if missing "nobody" permission.

 

[DrWizzle]

Watching this thread with interest.......

 

[ccto]

For Apache log, if possible, it'd better to change the naming convention
from
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.1
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.2
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz.3
to
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251118
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251119
/home/xxxxxx/domains/yyyy.com/logs/Nov-2025.tar.gz-20251120

It is much efficient for incremental backup (to save multiple copies, e.g. 30, 60, 180 days copies)

For the webserver logging, "logs_history_as_nobody" and "logs_to_keep_days" can combined to ensure to keep the logs and prevent deleted from the user.

and keep the backup even user has been removed for 180 days.

============
So the evildent can remove by user if missing "nobody" permission.

 

[Ohm J]

"logs_to_keep_days", this option will ensure if you manual tally the logs, it's still keep the logs and not replace on the same day.

so you can start tally, export user via admin backup, export email logs in "/var/log/exim/" , "/var/log/mail*".

 

[Richard G]

Well the apache logs are not the most interesting as they are the easiest to save, that is not really a problem. It might also be the least interesting as this is visiting logs, not really something the user might be doing themselves.

But the exim mainlog and maillog doe not contain any mails. If you check these files, you only see traffic and titel, no content so that is not enough.

So what I'm most interested in, is thinks like real (so full) incoming and outgoing mail. I guess that would mean making realtime copy's of the mail folders like the IMAP folder and/or Maildir folder.
Also other things which will be required like chat logs for example. Because some forums and sites have chat addons, but it's going to be tricky to be able to get content from that.

Because the main difficulty will not be the connection logs, we already have these and can easily be copied or extended like already mentioned in this thraed but it's possible content like e-mail but also other things.
Which might for example be options to make realtime copies of all e-main incoming and outgoing and probably database content.
Database content can also be created by making regular backups via cron for example.

But I'm wondering how other EU collegues are looking at these new regulations and how they think they will and can provide tools to obey these rules once active. Which is by the way August 18th 2026.

So thank you for these answers, but that are the default easy logs I already kow about.
I'm also very interested in other EU (hopefully also Dutch) collegue's how they think about hit law and how they think to implement things and if they also already got this letter from the Department of Justice.

 

[Active8]

There is so much unclear like retention time,
I have also received this letter and subscribed to the newsletter let see what is going to happen

 

[gate2vn]

I think containing and accessing customers' email content is actually breaching ePrivacy. You can have backup of the emails, but you should (or need to) encode the backup to make sure no one can have access to the content. And the backup is only for restoration purpose.

Also, might think about Preservation Order. When needed, the law enforcement needs to send out a Preservation Order. After receiving the order, then you can freeze or copy the customers' content. Before that, if you keep the content somewhere else, just in case needed, not for hosting business purpose, such as backup / restoration, then it might be a violation of GDPR.

If you really need to follow the rules, it would be better to discuss with your lawyer.

 

[Richard G]

When needed, the law enforcement needs to send out a Preservation Order.

As far as I understand it now, we only have to start working on this once we get a court order from some country.
This order should provide the conservation time.

Accessing content but not limited to customers email is a privacy violation for sure. So we can't do anything until we receive an order.
As @Active8 says at this moment there are still several things unclear.

As for a lawyer, that is too expensive for a little company like mine, and little we can do as this is a law and we need to comply, same as we at this moment we would get a court order from our own country.

But maybe we can indeed better wait and see how to implement tools until a bit more is clear. I though maybe some Dutch hosters (and EU hosters) already read the law and had some idea on how to implent and which tools are required when using tools.

More things will be clear in march next year, but from March until half August is a very short time.

Depending on what this law exactly is going to mean for us in matter of costs and work, it might even cause me to stop my business as I'm getting to old for all this EU rules nonsens. What will they think of next.....

Anyway, at least the EU hosters here on DA will now what is coming at them and they can read and make take some preparations and maybe subscribe to the e-evidence newsletter to be kept informed.
Because if one does not comply as hoster to have this system running in good order in August 2026, there will be fines it says.

 

[sysdev]

Well, imho it's clear enough. You can receive 2 types of orders.

A preservation order in where they tell you to freeze your logs at that time. Not to log any extra, not to give them stuff, just make sure you don't delete the logs if your backup retention is less than the timespan they 'order'.

A production order in where they will tell you what they want. A valid answer to some of those question is 'we do not have that information' if you don't have it. We still have an gdpr/avg and that law still exists. Don't break that by suddenly deciding to copy all emails to an archive, just in case someone asks about it.

When and if they want data, you'll have to make sure you don't give too much. No data of other users. Not 'here are all weblogs, have fun'. You will regret doing that at some point.

This means, grepping ip's from logs, customer data (name, address, etc) from your administration, finding a user id in a database, etc.
If you can't isolate the data, you can just say that.

The law is more to make us hosters react faster, not to make us snitches on our own customers.

Edit: Also remember, at least in The Netherlands, you can simply send them an invoice for the time you spend on an order.

 

[Richard G]

The law is more to make us hosters react faster, not to make us snitches on our own customers.

Well I don't fully agree to that. You can see they can ask for content as shown in the quote in the first message.
So I can't agree to the any extra, and as of yet I didn't find any "we don't have that info option" but I did see a "you are expected to provide that information by law once requested" and that you have to create things you don't have starting within 24 hour of asking or in some cases within 8 hours of asking.

Ofcourse no data of other users, that seems logically to me.

 

[sysdev]

Well I don't fully agree to that. You can see they can ask for content as shown in the quote in the first message.
So I can't agree to the any extra, and as of yet I didn't find any "we don't have that info option" but I did see a "you are expected to provide that information by law once requested" and that you have to create things you don't have starting within 24 hour of asking or in some cases within 8 hours of asking.

Ofcourse no data of other users, that seems logically to me.

I was born with that option. I can not give what I don't have.

The core of this law is (at least for regular webhosters)

(19) This Regulation should regulate the gathering of data stored by a service provider at the time of receipt (=save what you have at that moment and don't delete it for 60-90 days) of a European Production Order or a European Preservation Order only. It should not lay down a general data retention obligation (=no need to change your log retention ) for service providers and it should not have the effect of resulting in any general and indiscriminate retention of data. (=zero extra logging) This Regulation also should not authorise the interception of data or the obtention of data that are stored after the receipt of a European Production Order or a European Preservation Order.

So, actually... saving all e-mail is not even allowed.

 

[Richard G]

I was born with that option. I can not give what I don't have.

Yes but well.... problem is that emails are stored on the server so you can't say you don't have that.

(=zero extra logging)

That is a wrong translation. It says "general data retention" and I know how governments work. So this means they can ask for specific data retention for example emails, just not general so just not "everything" of the user.

As I don't trust governments and neither the EU in such cases I'll have to see the definate regulations when they start issuing them in march next year.

Let's hope we don't need to do extra logging or not be allowed to do this, but as for what I've read in the letter from the Ministry of Justice, I think at a certain point this will be added. Not general but specific data.

 

[ericosman]

Hhhhmmmm did not receive a letter yet, but at least i know what’s coming….

 

[sysdev]

Yes but well.... problem is that emails are stored on the server so you can't say you don't have that.


That is a wrong translation. It says "general data retention" and I know how governments work. So this means they can ask for specific data retention for example emails, just not general so just not "everything" of the user.

As I don't trust governments and neither the EU in such cases I'll have to see the definate regulations when they start issuing them in march next year.

Let's hope we don't need to do extra logging or not be allowed to do this, but as for what I've read in the letter from the Ministry of Justice, I think at a certain point this will be added. Not general but specific data.

Many hoster get a few of those a year already. It's nothing else than when the law contacts you because they want to know who is selling fake shit on an online marketplace. Do whatever you think is best for your company. I'm not telling you what to do, mate, nor do I want to fight over a thing we already have to do for dutch laws already.

But never ignore the privacy of your customers. Think very good about this because copying everybody's mail 'just in case' is nothing less than wiping your behind with the gdpr/avg.

The governments I have worked for are the same as any other big corps. Everybody want's more than they are allowed to. If you do need investing in anything to comply with this law, I would suggest to focus on the rules how to validate a request for it's scope and if it's not simply a 'lets try yelling law 1234, we want all your bases' kinda request, because you will get these, from lawyers with big mouths wanting everything. and then some.
Document how this translates to your current logging/backupschemes and how to deal with a request, based on what you have now. How are you going to freeze what you have? How are you going to extract what they want (if you have it) without violating other laws.

But in my case, I am not the law. I'm just a law abiding citizen. So, I'm not going to do their work. That simple. We have a gdpr/avg that states I have to keep as little as possible as short as possible about my customers and I do just that at any time. This is a agreement I all have with all my customers. They even made me force them to sign that gdpr thing, years ago.

So I will freeze what I have at preservation time and within time report back what we can provide and some general information about what they can expect from our work if they agree. So if I need to supersafely store (and supersave backup it) a 100gb account, this will require funding.
If I have to find an ip in 500gb logfiles with vi, maybe from 10 different servers, maybe even extract all wordpress posts of a user from a backup, this will take time. And funding.

Don't go to the dark side, Luke

Have a great weekend!

 

[Richard G]

But never ignore the privacy of your customers. Think very good about this because copying everybody's mail 'just in case' is nothing less than wiping your behind with the gdpr/avg.

No problem there. Because I will never do anything "just in case" and I value the privacy of my customers very high. So even in Dutch cases they have got to have a good decent court order otherwise I won't do anything. And I won't do anything out of myself anyway either.
I'm just a bit worried because it's now every EU country and some laws can be different there than here.

But it's good to know the options and also that you can send them an invoice for the work you do, I didn't know that one yet.

Thank you for your insights!

And have a greate weekend too!

 

[johannes]

How can I subscribe to this newsletter? On the website https://eucrim.eu/news/e-evidence-regulation-and-directive-published/ i see no NL.

 

[Richard G]

i see no NL.

You can find it in Dutch here, on the right side under "beslisboom"

eEvidence stappenplan - ECP | Platform voor de InformatieSamenleving

ecp.nl