Thanks Sven, I really appreciate your considerations, especially about the
encryption of the SMTP traffic.
I will test Mandatory Access Control (MCS), like Se-linux(YES, I know that
NSA wrote it) or Apparmor for instance, and customising SUDO:
http://pubs.gpaterno.com//2009/protecting-confidential
Given that a physical root can bypass any and every ACL, encrypting
messages (upon receiving, e.g.) is the only remotely plausible way to
prevent access.
And even then the admin could sniff all SMTP traffic and copy messages
before encryption, so you'd need to monitor him anyway.
Why again does