Penetration Testing mailing list archives
Re: [PEN-TEST] archiving exchange workgroup mail
From: martin <m () RL206 ORG>
Date: Wed, 6 Dec 2000 18:10:52 -0600
Shamefully, I learned how to do this while teaching exchange courses. There is a not commonly known feature called message journaling, which enables _all_ mail on an exchange box to be logged to a specified mailbox. This works by modifying the message flow to force all messages to pass through the exchange MTA component, and capturing all of these messages (under normal circumstances, mail delivered between users on the same server does not pass through the MTA, only the information store). The only way to do this (on 5.5, anyway) is by adding registry entries, and setting a mailbox to receive. The following is sourced "roughly" from an exchange text: 1. Launch the admin program in raw mode (admin /r), and observe the raw properties of the target mailbox for archived mail. In the "Object Attributes" box, select Obj-Dist-Name, and record the X500 DN (distinguished name) of the object. 2. In regedit.. open hkey_local_machine\system\current controlset\services\msexchangemta\parameters. Add a string value named "Journal Recipient Name'. Set the value of the string to the DN of the object observed in the admin program (target mbox). Create a dword value (in the same key) called "Per-Site Journal Required". For org level journalling, set the value to 0, for site level , set it to 1. 3. (This is where message flow is modified).. Open hkey_local_machine\system\currentcontrolset\services\ msexchangeis\parameterssystem. Add a dword value named "No Local Delivery". Set this value to 1. Open hkey_local_machine\system\currentcontrolset\services\ msexchangeimc\parameters. Add a dword value named "ReRouteViaStore". Set this value to 1. This will intercept all messages on the target, including internet in/out (provided clients are using the exchange smtp) and local (between exchange connectors, MTA's, and local betweeen mailboxes on the same information store). Hope this helps. -m.
Current thread:
- Re: [PEN-TEST] archiving exchange workgroup mail martin (Dec 07)
- <Possible follow-ups>
- Re: [PEN-TEST] archiving exchange workgroup mail Riley, Steven (Security) (Dec 10)
- Re: [PEN-TEST] archiving exchange workgroup mail Glenn Pearl (Dec 10)
- Re: [PEN-TEST] archiving exchange workgroup mail martin (Dec 10)