FUIT: Working around your company's email restrictions

The Powers at TegRatchet Imports Incorporated (TRI, Inc) have decided to limit mailbox sizes to 300MB and attachement sizes to 5MB in an effort to...well...I don't really know.


The Situation

The Powers at TegRatchet Imports Incorporated (TRI, Inc) have decided to limit mailbox sizes to 300MB and attachement sizes to 5MB in an effort to...well...I don't really know. In 1999 that made a lot of sense, but now it's just an archaic policy when disk space is so cheap. Users are, thankfully, allowed to have offline archives in the form of PST files, but they must be stored locally which means they aren't being backed up. On top of this, no emails in the system are allowed to be older than 90 days, which is a fairly common practice these days for liability and legal reasons.

Anecdote time: Brian and I once spent a 4 day weekend sifting through 6 years of Exchange backups for an investment bank that was getting sued. That covered Exchange 4, 5, 5.5, and 2000, and each restore required a domain to be set up exactly as it was when the backup was taken. We'd stand up a new domain and Exchange server, restore a backup, search it for a few terms that the court wanted, restore the next tape, and so on. When it came time to change versions of Exchange, the whole thing had to be rebuilt from scratch. It was a long, Mountain Dew and pizza-fueled weekend, and it is the exact reason why companies make it policy to only retain emails for a certain, impossibly small period of time.


The user, let's call him Stan, living in 2011 and not 1999, has several issues with this setup, including the fact that he doesn't care one bit about why the policies The Powers put in place are there. Stan wants:

  1. More than 300MB of storage space for emails. His Gmail account is ~8GB. Somewhere in between would probably be ok.
  2. More than 90 days of backup, or at least a way to back up his PST files.
  3. More than a 5MB message size. Word & Excel docs can easily get larger than that now, not to mention PDFs, PowerPoint presentations, and photos.

In order to comply with IT, Stan would have to ignore number 1 & 2, since there's nothing he can do to increase the size of his mailbox. Instead, he'd have to regularly dump his email out to a PST file. The same goes for the 90 day email retention. But the PST file can't be stored reliably on a network share, so to back it up, Stan has to look elsewhere. In 1999, he would be stuck, but nowadays users have options, and the one Stan chose to take advantage of was to use Gmail and Outlook rules to set up his own archive.

Gmail gives you almost 8GB of storage space, and the attachment limit is 25MB. Creating a gmail account is no big deal, and there are dozens of other free email providers out there if The Powers have blocked gmail. Stan set up a new account, then went into Outlook and configured a rule to redirect all inbound and sent emails to this new, offsite email address (if you do this, don't forget to check the rule that doesn't forward calendar invitations, otherwise the outside email address will appear in all invitations).

And if The Powers have disabled server-side blanket email redirection rules, then Stan can still just add Gmail as a second account into Outlook via IMAP and right-click and move the TRI emails to the personal Gmail account. And if The Powers block IMAP at the office, then Stan will just move the email from home.

Regardless of what The Powers do, when the user goes to his Gmail account, he has access to all of the email he's ever sent or received. If he has to send an attachment that's larger than 5MB, he can use the Gmail account instead, and when his email is deleted after 90 days from the Exchange server, he doesn't care because it's still in his Gmail archive. He can access his archive on his phone, via Outlook, or any other web browser. Stan's a happier, more efficient worker, despite the fact that The Powers would frown on the fact that significant amounts of email data are being shipped out of the organization each day, unbeknownst to them.

The Powers Should...

Three things:

  1. The Powers should re-evaluate their solution, period. This is an easy one to solve before it gets out of control. Hard drive space cost over $20 per gigabyte in 1999. Today, the cost per gigabyte of storage is less than 10¢. Data center storage is more expensive, sure, and maybe there are other costs associated, too, but what costs more: building a bit bigger email environment or ultimately dealing with the liability and implications of having all that corporate email and data living outside the organization?
  2. Build out the email system to be what your users need. If they can only retain 90 days of email, explain why. Explain it's their liability at stake as much as The Powers'.
  3. The Powers should not, for one second, think this isn't happening in some way in their organization. For the most part, people aren't doing these things maliciously, it's just that when presented with a roadblock, they chose to drive around it.



Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Man, I still can't believe that any companies today actually run their own email systems anymore.. I don't want to hear any stories about, "Oh, we have to, because we can't trust Google for mail." .. Or "We can't trust the cloud!"

I call BS. If a company has mailbox limits of ANY size, then they already have email in Gmail.. It's just that the users are putting it there themselves. :)

(And actually this is worse, because the company can't enforce password complexity or two factor authentication or anything on personal Gmail accounts... something they could do if they just gave up and used Gmail.


Basically, 'the powers that be' needs to engage users and find these problems before they circumvent them and consider the actions the users will take when restrictions are implemented.

A common example is strict account creation processes, if users have to jump through hoops to get a consultant online for half an hour, they will just share their login info with them.


Brian would you feel that way about cloud security if all your data was in another country not under US law?

(I think a lot of that conversation depends on industry and risk tolerance).


Google had a puny 25MB limit on message size last time I looked.  I was looking because a user was sending a large email to a customer who had "gone Google", and she wanted me to raise the recipient's limit.  I said no, confirming her view that corporate IT is an obstructive bunch.

For many users, complex passwords and two-factor authentication are just another reason to forward all your email, even from Google.  That, and the way they take away your access when you leave, just when you really need all your customers' contact details.


I remember the first time i put my credit card into a website to buy computer memory - (yes, for my work machine)

- (and i remember my parents opening a "special credit card with at $500 limit - so the evil people on the internet didnt pilfer their life savings and commit identity theft and retire on thier 401k"

i'd say it took about a year for all of us to get over that fear.

my guess - brian and gabe are onto something here - and in about a year IT will get it - this will be the new gospel.



This is how students get around filters at schools too - they love Gmail!!


I can clearly see how this can and does happen. But to comment directly to Brian. May business still run their own systems as a matter of CONTROL. It will never really be an argument over trust, but over control.

There are plenty of valid reasons to keep the stuff in house with just as many advocating the opposite. End of the day, to simply generalize the "capabilities" of the hosted (hate the misnomer "cloud") solutions as the be all, end all to corporate IT infrastructure is silly.