2. Configuring Journaling
Journaling lets you record all communications in an organization, including
email communications, for use in an email retention strategy. It enables
organizations to maintain records of communications that occur when employees
perform daily business tasks.
All Exchange Server 2010 email messages pass through at least one Hub
Transport server. A journaling agent is a transport agent that processes
messages on Hub Transport servers. It fires on the OnSubmittedMessage and
OnRoutedMessage routing agent events.
Exchange 2010 provides the following journaling options:
Standard journaling
Standard journaling, configured on a mailbox database, enables the
journaling agent to journal all messages sent to and from mailboxes
located on the specified database. To journal all messages to and
from all recipients and senders, you need to configure journaling on
all mailbox databases on all Mailbox servers in the
organization.
Premium journaling
Premium journaling uses
journal rules. You can, for example, use a journal rule to record
all messages sent to a specific address and store these messages in
a special journaling mailbox for compliance purposes. You can
configure journal rules to match your organization’s needs by
journaling individual recipients or members of distribution groups.
You must have an Exchange Enterprise CAL to use premium
journaling.
When you enable standard journaling on a mailbox database, this information is
saved in Active Directory and is read by the journaling agent. Journal rules
configured using premium journaling are also saved in Active Directory and
applied by the journaling agent.
2.1. Defining Journal Rule Scope and Recipients, and the Journaling
Mailbox
Journal Rule Scope defines which messages are journaled by the journaling
agent. You can target the journal rule to Internal, External, or Global
recipients. These scopes are defined as follows:
Internal
Target messages are sent to recipients and received by senders
inside an Exchange organization.
External
Target messages are sent to recipients and received from
senders outside an Exchange organization.
Global
Target messages include all messages that pass through an
organization’s Hub Transport servers. These can include
messages that may have already been processed by journal rules
using the Internal and External scopes.
Journal Recipients specifies the SMTP address of the recipient you want to
journal. The recipient can be an Exchange mailbox, a distribution group, or
a contact. Typically, recipients may be subject to regulatory requirements
or may be involved in legal proceedings. By specifying specific recipients
or groups of recipients, you can configure a journaling environment that
matches your organization’s regulatory and legal requirements and
hence minimize storage and other costs associated with retention of large
amounts of data.
All messages sent to or from the journal recipients that you specify in a
journaling rule are journaled (including all members of a distribution group
if you specify this group as a recipient). If you do not specify a
journaling recipient, all messages sent to or from recipients that match the
journal rule scope are journaled.
|
Many organizations that implement journaling also use Unified
Messaging (UM) to consolidate their email, voice mail, and fax
infrastructure. You may not, however, want the journaling process to
generate journal reports for messages generated by UM. You can decide
whether to journal voice mail messages and missed call notification
messages handled by an Exchange 2010 UM server or whether to skip such
messages. However, messages that contain faxes generated by
a UM server are always journaled, even if you configure a journal rule
that specifies not to journal UM voice mail and missed call notification
messages.
When you enable or disable the journaling of voice mail messages and
missed call notification messages, your settings apply to all Hub
Transport servers in your organization. You can use commands based on
the Set-TransportConfig EMS cmdlet to enable or
disable the journaling of voice mail messages and missed call
notification messages. For example, the following command disables voice
mail journaling on all Hub Transport servers:
Set-TransportConfig -VoicemailJournalingEnabled $false |
Journaling mailbox specifies one or more mailboxes used for collecting
journal reports. You can specify one journaling mailbox to collect messages
for all the journal rules configured in the organization, or you can use
different journaling mailboxes for different journal rules or sets of
journal rules. How you configure the journaling mailbox depends on your
organization’s policies and regulatory and legal requirements.
Journaling mailboxes typically contain sensitive information, and you need
to secure them. Messages that are part of legal proceedings must remain
tamper-free before they are submitted to an investigatory authority. Because
of this requirement, you should create policies that govern who can access
the journaling mailboxes in your organization and limit access only to those
individuals who have a direct access requirement.
2.2. Creating and Configuring Journal Rules
You can use commands based on the New-JournalRule EMS
cmdlet to configure new journal rules. For example, the following command
stores all messages sent to [email protected] in the journaling mailbox
“Don Hall Journal Mailbox”:
New-JournalRule -Name "Don-Hall-Compliance" -JournalEmailAddress "Don Hall Journal
Mailbox" -Scope Global -Recipient [email protected] -Enabled $True
The following command stores all messages sent to the distribution group
[email protected] to the journaling mailbox “Authors
Journal”:
New-JournalRule -Name "Book-Authors-Journal" -JournalEmailAddress "Authors Journal"
-Scope Global [email protected] -Enabled $True
Note that in both cases, the Enabled parameter is optional. Journal rules
are enabled by default unless the Enabled parameter is set to $false.
Note:
You can use the New-Mailbox EMS cmdlet to create
a mailbox to use as a journaling mailbox. You then create a Journaling
rule using the New-JournalRule cmdlet to configure
the mailbox as a journaling mailbox.
2.3. Replicating Journal Rules
Journal rules are stored in Active Directory and applied by all Hub
Transport servers in an Exchange Server 2010 organization. If you create,
modify, or remove a journal rule on a Hub Transport server, this change is
replicated to all Active Directory servers in your organization. The Hub
Transport servers then retrieve the updated journal rule configuration from
the Active Directory servers. In this way, Exchange Server 2010 provides a
consistent set of journal rules across the organization. All messages that
pass in or through an Exchange Server 2010 organization are subject to the
same journal rules. Journal rule replication depends on Active Directory
replication.
2.4. Understanding Journal Reports
A journal report is the message that the journaling agent generates on a
Hub Transport server when an email message matches a journal rule and is
submitted to a journaling mailbox. Journal reports contain important message
content and metadata. The original email message that matches the journal
rule is included, unaltered as an attachment to the journal report. The body
of a journal report contains information from the original message, such as
the sender email address, message subject, message-ID, and recipient email
addresses. This is the only journaling method supported by Exchange Server
2010 (and Exchange Server 2007) and is known as envelope
journaling.
The information in a journal report is organized so that every value in
each header field has its own line, which simplifies parsing. Exchange
Server 2010 may generate more than one journal report for a single message.
This depends on factors such as message bifurcation or distribution group
expansion.
When the journaling agent journals a message, it tries to capture as much
detail as possible. This information helps you determine the intent of the
message, its recipients, and its senders. A journal report can tell you, for
example, whether the recipients identified in the
message are directly addressed in the To field or the Cc field or are
included as part of a distribution list.
Journal report fields can be basic or extended. Basic journal report
fields are listed and described in Table 1.
Table 1. Basic Journal Report Fields
|
Field
|
Description
|
|---|
|
Sender
|
Displays the SMTP address of the sender specified in
the From header. If the message is sent on behalf of
another sender, the field displays the address specified
in the Sender header.
|
|
Subject
|
Displays the subject header value.
|
|
Message-ID
|
Displays the SMTP Message-ID.
|
|
Recipient
|
Displays the SMTP address of a recipient included in
an email message when Exchange cannot determine the
recipient addressing of that message. This occurs when
messages are received from the Internet or from
unauthenticated senders and when messages are received
from legacy Exchange servers. Recipients added by
transport rules or other transport agents are also
listed in the Recipient field.
|
Extended journal report fields are listed and described in Table 2.
Table 2. Extended journal report fields
|
Field
|
Description
|
|---|
|
On-Behalf-Of
|
Displays the SMTP address of the mailbox from which
the message appears if the Send On Behalf Of feature is
specified by the sender.
|
|
To
|
Displays the SMTP address of a recipient included in
the message envelope and in the To header field of the
message.
|
|
Cc
|
Displays the SMTP address of a recipient included in
the message envelope and in the Cc header field of the
message.
|
|
Bcc
|
Displays the SMTP address of a recipient included in
the message envelope and in the Bcc header field of the
message.
|
Note:
RECIPIENT ADDRESSES IN TO, CC, AND BCC
FIELDS
The recipient address in a To, Cc, or Bcc field can be included
directly by the sender or indirectly through distribution list expansion
or if the message was forwarded to the recipient by another mailbox. To
indicate whether the message went through distribution list expansion or
was forwarded, the field may also contain one Expanded field or one
Forwarded field, separated with commas. Expanded and Forwarded fields
are described later in this lesson.
Whether extended journal report fields
are populated depends on whether recipient addressing can be determined. If
recipient addressing can be determined for a particular recipient, the
recipient email address is inserted into the appropriate extended fields. In
this case, the recipient email address is not inserted into the basic
Recipient field.
If a message is submitted to a Hub Transport server by using any other
method, such as anonymous submission from an Edge Transport server or
submission from a server running Exchange Server 2003, Exchange cannot
verify that the recipient addressing has not been tampered with. If
recipient addressing cannot be verified, the recipient email address is
inserted in the basic Recipient field and not into an extended To, Cc, or
Bcc field.
For each recipient addressed on a message, one recipient journal report
field is added. No recipient field contains more than one recipient email
address, except for recipient fields that contain recipients expanded from a
distribution group or that have received a message forwarded from another
mailbox. For expanded or forwarded messages, the email address of the
recipient that received final delivery of the message and the email address
of the distribution group or mailbox that was originally addressed are
included.
The Expanded field is provided as an addition to the To, Cc, and Bcc
fields, preceded by a comma. The Field displays the SMTP address of the
distribution group that contains either the recipient specified in the To,
Cc, or Bcc field or the nested distribution lists that contain the specified
recipient. The address displayed in this field is always the first
distribution list to be expanded, regardless of how many nested distribution
lists may be between the original parent distribution list and the expanded
final recipient specified in the To, Cc, or Bcc field.
The Forwarded field is also an addition to the To, Cc, and Bcc fields and
is preceded by a comma. Typically, this field displays the email address of
a mailbox configured to forward email messages to the account specified in
the To, Cc, or Bcc field. If a chain of forwarding mailboxes is configured,
where each mailbox forwards messages to the next one, the first forwarding
mailbox is displayed in the Forwarded field, and the SMTP address of the
final, nonforwarding mailbox in the chain is displayed in the To, Cc, or Bcc
field.
2.5. Specifying a Journaling Mailbox Storage Quota
The size of a journaling mailbox can affect the delivery and availability
of journal reports. When you configure a journaling mailbox to accept
journal reports, you can decide to configure the maximum size of the
journaling mailbox. You should consider the amount of data the mailbox needs
to store, the hardware resources available, and the disaster recovery
requirements for the server where the journaling mailbox is located. You
must also consider what would occur if a journaling mailbox exceeded its
configured mailbox quota.
You can configure the Prohibit Send And Receive At (MB) option for a
storage quota on a journaling mailbox as you can with any other mailbox. The
mailbox then accepts journal reports until it reaches the configured storage
quota. When the prohibit send and receive storage quota is exceeded, the
journaling mailbox stops accepting journal reports.
If a quota is exceeded, Exchange Server 2010 does not return journal
reports to the original sender as it does with regular messages. It instead
holds undelivered journal reports in a mail queue and tries to redeliver
them until delivery is successful. Although this means that all journal
reports generated are eventually delivered, it can generate excessively
large mail queues on Hub Transport servers, especially in organizations with
high messaging traffic.
Typically, you would configure the prohibit send and receive storage quota
on journaling mailboxes to the maximum size that hardware resources and
disaster recovery capabilities allow. However, if you decide to configure
journaling mailboxes without storage quotas, take care to monitor your
Mailbox servers to ensure that the size of a journaling mailbox does not
exceed the available hardware resources or disaster recovery
capabilities.
You specify a storage quota for a journaling mailbox in the same way as
you do for any other mailbox. Figure 1 shows the Storage Quotas
configuration box available from the Mailbox Settings tab of the Properties
dialog box for the journaling mailbox Book-Authors-Journal with a Prohibit
Send And Receive At (MB) setting of 1,024 (1 GB). Note that if you do not
want to set any storage quotas for a journaling mailbox, which may often be
the case, you need only clear the Use Mailbox Database Defaults on this
configuration page.
Alternatively, you can use the Set-Mailbox EMS
cmdlet. The following command configures the Prohibit Send And Receive At
setting for the journaling mailbox Don-Hall-Journal-Mailbox to 500
MB:
Set-Mailbox -Identity "Don-Hall-Journal-Mailbox" -ProhibitSendReceiveQuota 524288000
2.6. Configuring an Alternate Journaling Mailbox
If you do not
want to allow rejected journal reports to collect in an email queue on a Hub
Transport server when the journaling mailbox is unavailable, you can
configure an alternate journaling mailbox to store those journal reports.
The alternate journaling mailbox receives the NDRs generated when the
journaling mailbox or the server on which it is located refuses delivery of
the journal report or becomes unavailable. When the journaling mailbox
becomes available again, you can use the Send Again feature of Microsoft
Office Outlook to submit journal reports for delivery to the journaling
mailbox.
Mailbox databases and journal rules may be configured to deliver journal
reports to different journaling mailboxes. However, if you create an
alternate journaling mailbox, all the journal reports that are rejected or
cannot be delivered in your entire Exchange Server 2010 organization are
delivered to the alternate journaling mailbox. Therefore, you must ensure
that the alternate journaling mailbox and the Mailbox server on which it is
located can support a large volume of journal reports.
It is important to monitor the alternate journaling mailbox to make sure
that it does not become unavailable. You must also ensure that the use of an
alternate journaling mailbox does not violate any laws or regulations that
apply to your organization. If laws or regulations prohibit journal reports
sent to different journaling mailboxes from being stored in the same
alternate journaling mailbox, you may be unable to configure an alternate
journaling mailbox. You need to discuss this with your legal
representatives.
Note:
JOURNAL REPORTS ARE REDIRECTED ONLY AFTER THE
ALTERNATE MAILBOX IS CONFIGURED
Journal reports that have already failed delivery before the alternate
journaling mailbox is configured are not redirected.
You can use the Set-TransportConfig EMS cmdlet to
configure an existing mailbox as an alternate journaling mailbox. You will
configure an alternate journaling mailbox in the practice session later in
this lesson.
Note:
You can use the New-Mailbox cmdlet to create a
mailbox for use as an alternate journaling mailbox and then use the
Set-TransportConfig cmdlet to configure it as
an alternate journaling mailbox. You should not attempt to configure a
mailbox you have already configured as a journaling mailbox (using the
New-JournalRule cmdlet) as an alternate
journaling mailbox.
2.7. Protecting Journal Reports
If journaling is configured, the journaling agent generates journal
reports that contain message metadata, and the entire original message is
attached to the journal report. It is important to protect the integrity of
journal reports and the journaling mailbox and protect them from
unauthorized access.
Exchange 2010 protects journal reports
sent within an Exchange Server 2010 Organization by using secure links
between Hub Transport servers and Mailbox servers. It sends the journal
report as the Exchange recipient object, authenticates the session between
the Hub Transport server and the Mailbox server, and accepts only secure,
authenticated connections. This helps reduce the possibility of tampering
with journal reports delivered to the journaling mailbox.
Also, you must implement access controls that ensure that the journaling
mailbox is protected from unauthorized access. These controls should include
recording and monitoring password changes to journaling mailbox user
accounts, monitoring domain logons by such user accounts, and monitoring
changes to mailbox permissions for journaling mailboxes.
If there is a requirement to send journal reports to a recipient that does
not reside in the same Exchange Server 2010 organization as the Hub
Transport server, including recipients residing on another email system
within your organization or to an external email system, the connections
between the two email systems may not be automatically encrypted. However,
you can use the following Exchange Server 2010 solutions to help protect
journal reports sent to the third-party solution providers:
Configure a mail-enabled contact that sends email messages to the
SMTP address of the third-party solution and configure Exchange
Server 2010 to send journal reports to that contact. Configure the
contact to accept journal reports only from an Exchange
recipient.
Accept only email messages from the SMTP address of the Exchange
contact.
Require authentication on the receiving system.
Configure Transport Layer Security (TLS) between the two
systems.
