My question is, is this mail sent internally by the machine, or is it handled over-the-internet like traditional email? And if it is internally, what program/script/command/etc is being used? Where do I find these messages?
1. Yes mail is sent internally by the machine.
2. It uses postfix to send email, by default email is sent to root user (if no other user is set to receive that email) to report unauthorized attempt to use sudo
1. If postfix is not installed then it will not send email because there is no email system.
2. If you have not got mailutils install on Ubuntu you will not be able to read email. I mean that is the easiest way I am aware of reading email. Also you can try looking under /var/mail/root to see the email.
How to configure it:
1. Install postfix on Ubuntu machine using: sudo apt-get install postfix. At the time of configuration it will ask you to select whether the email system will be configure for external use or local only. Select local only.
2. Install mailutils on Ubuntu machine using: sudo apt-get install mailutils.
1. Login with a user account who is not in sudoers file.
2. Try to use sudo: sudo mkdir /test . It will show a message saying that this incident will be reported
3. su root from the same terminal and type: mail
4. It will show you an email and then you can hit enter to read that email.
I hope this helps.