Penetration Testing mailing list archives
Re: [PEN-TEST] archiving exchange workgroup mail
From: Glenn Pearl <glennp () BROOKE-STAFFING COM>
Date: Sat, 9 Dec 2000 19:24:46 -0600
Unfortunately not. Additionally, you'll need to have some way to keep your journal mailbox archived. Otherwise, it will quickly eat up all of your disk space. We autoarchive through Outlook to a .pst, then .zip it to CDR. There's an Exchange Mailbox Manager that came with SP3 (I think) that works on the server end, but I don't think its any more configurable than journalling. Haven't looked at it in detail as yet. Glenn Pearl
-----Original Message----- From: Riley, Steven (Security) [SMTP:steven.riley () WCOM CO UK] Sent: Thursday, December 07, 2000 3:04 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] archiving exchange workgroup mail Is it possible to journal a single users Mailbox? Steve -----Original Message----- From: martin [mailto:m () RL206 ORG] Sent: 07 December 2000 00:11 To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] archiving exchange workgroup mail Shamefully, I learned how to do this while teaching exchange courses. There is a not commonly known feature called message journaling, which enables _all_ mail on an exchange box to be logged to a specified mailbox. This works by modifying the message flow to force all messages to pass through the exchange MTA component, and capturing all of these messages (under normal circumstances, mail delivered between users on the same server does not pass through the MTA, only the information store). The only way to do this (on 5.5, anyway) is by adding registry entries, and setting a mailbox to receive. The following is sourced "roughly" from an exchange text: 1. Launch the admin program in raw mode (admin /r), and observe the raw properties of the target mailbox for archived mail. In the "Object Attributes" box, select Obj-Dist-Name, and record the X500 DN (distinguished name) of the object. 2. In regedit.. open hkey_local_machine\system\current controlset\services\msexchangemta\parameters. Add a string value named "Journal Recipient Name'. Set the value of the string to the DN of the object observed in the admin program (target mbox). Create a dword value (in the same key) called "Per-Site Journal Required". For org level journalling, set the value to 0, for site level , set it to 1. 3. (This is where message flow is modified).. Open hkey_local_machine\system\currentcontrolset\services\ msexchangeis\parameterssystem. Add a dword value named "No Local Delivery". Set this value to 1. Open hkey_local_machine\system\currentcontrolset\services\ msexchangeimc\parameters. Add a dword value named "ReRouteViaStore". Set this value to 1. This will intercept all messages on the target, including internet in/out (provided clients are using the exchange smtp) and local (between exchange connectors, MTA's, and local betweeen mailboxes on the same information store). Hope this helps. -m. -- This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it.
Current thread:
- Re: [PEN-TEST] archiving exchange workgroup mail martin (Dec 07)
- <Possible follow-ups>
- Re: [PEN-TEST] archiving exchange workgroup mail Riley, Steven (Security) (Dec 10)
- Re: [PEN-TEST] archiving exchange workgroup mail Glenn Pearl (Dec 10)
- Re: [PEN-TEST] archiving exchange workgroup mail martin (Dec 10)