Most of the times we come across - leadership teams, auditors, customers, clients and other stakeholder stressing the need to mature your Data Loss Prevention (DLP) solution into more than 75% of blocking when it comes to the core communication vector of outgoing SMTP traffic in an Organization. This to us, it means that somehow the management is willing to restrict data even if it comes at the cost of blocking legitimate data in some instances. However the risk sign-off here to jeopardize valid emails comes with certain compensatory controls. There are many of those such as having minimum false positives, 27 x 7 policy life cycle & maintenance, grouping of senders/recipients and the most importantly the ability to hold --> then review --> then decide whether to release the email of simply drop & initiate retrospective action.
I'm sure we all agree the importance of an inline solution with the capability to quarantine emails which trigger certain policies in DLP email prevent. However not always we get a free hand to choose the best user friendly tool we need for this operation. I faced such an issue myself in the recent past. Thus, I decided to take an approach of exploring options within the gracious Linux community. Ofcouse I'm sure most of you know I'm talking about "postfix".
Yes - I'm talking about the "hold" queue feature.
The administrator can define "smtpd" access policies, or cleanup header/body checks that cause messages to be automatically diverted from normal processing and placed indefinitely in the "hold" queue. Messages placed in the "hold" queue stay there until the administrator intervenes. No periodic delivery attempts are made for messages in the "hold" queue. The postsuper command can be used to manually release messages into the "deferred" queue.
Messages can potentially stay in the "hold" queue longer than $maximal_queue_lifetime. If such "old" messages need to be released from the "hold" queue, they should typically be moved into the "maildrop" queue using "postsuper -r", so that the message gets a new timestamp and is given more than one opportunity to be delivered. Messages that are "young" can be moved directly into the "deferred" queue using "postsuper -H".
The "hold" queue plays little role in Postfix performance, and monitoring of the "hold" queue is typically more closely motivated by tracking spam and malware, than by performance issues.
Ref: http://www.postfix.org/QSHAPE_README.html#hold_queue
This allows your reviewer team then, to easily release emails post analysis as applicable, else drop:
http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail