Re: [PEN-TEST] archiving exchange workgroup mail

[martin <m () RL206 ORG>]

 Shamefully, I learned how to do this while
teaching exchange courses.

There is a not commonly known feature called
message journaling, which enables
_all_ mail on an exchange box to be logged to
a specified mailbox. This works by modifying
the message flow to force all messages to pass
through the exchange MTA component, and capturing
all of these messages (under normal circumstances,
mail delivered between users on the same server
does not pass through the MTA, only the information
store).

The only way to do this (on 5.5, anyway) is by adding
registry entries, and setting a mailbox to receive.
The following is sourced "roughly" from an exchange
text:

1. Launch the admin program in raw mode (admin /r),
and observe the raw properties of the target mailbox
for archived mail. In the "Object Attributes" box, select
Obj-Dist-Name, and record the X500 DN (distinguished name)
of the object.

2. In regedit.. open hkey_local_machine\system\current
controlset\services\msexchangemta\parameters.
Add a string value named "Journal Recipient Name'.
Set the value of the string to the DN of the object
observed in the admin program (target mbox).
Create a dword value (in the same key) called
"Per-Site Journal Required". For org level journalling,
set the value to 0, for site level , set it to 1.

3. (This is where message flow is modified)..
 Open hkey_local_machine\system\currentcontrolset\services\
msexchangeis\parameterssystem.
 Add a dword value named "No Local Delivery". Set this
value to 1.

Open hkey_local_machine\system\currentcontrolset\services\
msexchangeimc\parameters. Add a dword value named
"ReRouteViaStore". Set this value to 1.




This will intercept all messages on the target, including
internet in/out (provided clients are using the exchange smtp)
and local (between exchange connectors, MTA's, and local betweeen
 mailboxes on the same information store).

Hope this helps.

-m.