Configuring Office 365 Journaling

Document created by user.oxriBaJeN4 Employee on Sep 14, 2015Last modified by user.Yo2IBgvWqr on Oct 6, 2017
Version 30Show Document
  • View in full screen mode

For more information on Office 365 plans that support Journaling, read this Microsoft Technet article: Exchange Online Service Description | Office 365 Service Descriptions. It describes the Exchange Online Protection (EOP) security feature set most commonly provided with Office 365, which has replaced legacy FOPE services. At this time Microsoft does not support self email journaling (journaling from yourself to yourself).

Typically, Journaling is configured after Recipient Validation options are considered. See the Mimecast Connect article for further details.

 

If your Mimecast subscription includes the Journaling feature, and your service was provisioned after the 26th March 2015 you will find a Journal Connector has already been created for you, including an internal journal domain and journal address.

  • The Journal Domain is automatically created as journal.domain.com, where domain.com is the domain your organization provided as your primary mail domain.
  • The Journal Contact is automatically created as journaling@journal.domain.com. Use this address as the mail attribute for the external contact you create in Exchange to send journal messages to.

If your Mimecast service was provisioned before 26th March 2015, or you want to add an additional journal connector, you will need to manually add a journal domain, journal address, and journal connector as detailed below. This is likely if you are configuring journaling in a hybrid Office 365 and On-Premise environment. In such instances, you may require two journal connectors or journal sub-domains.

Create a Journal Definition In Mimecast

 

The first step in configuring Journaling is to create a Journal Definition in the Administration Console.

  1. Log on to the Administration Console.
  2. Select the Administration | Services | Journaling menu item.
  3. Click on the New Journal Service Definition button:

    journalDef2.png
  4. Complete the Journal Service Properties section as follows:

    Field / OptionDescription
    DescriptionEnter a name for the definition.
    Transport TypeSelect the SMTP option in the drop down.
    DisabledLeave this option unchecked. If it is checked, the definition is not active.
  5. Complete the Connection Properties section as follows:

    Field / OptionDescription
    Service Email Address

    Enter a Service Email Address using the format  journaling@journal.domain.com (where domain.com is the primary SMTP domain).

    This is used throughout the rest of the journal configuration process.

    Additional Source IP Ranges

    Enter the IP Addresses from which Mimecast will receive journaled messages. Theses are typically the external IPs of the Transport Service in the environment. IP Address are expected with a CIDR mask, so ranges can be added in a single line. The proper syntax for a single address is /32.

     

    For journaling from Office 365 accounts, customers will need to contact Mimecast Support to add the Office 365 IP ranges to your account.

    Authorized Outbound IP addresses are automatically allowed, therefore this field can be left blank. This also applies to hosted environments sharing IP addresses or ranges.

    Disabled

    Allows journal services to be taken offline without removing the Journal Service Definition. Using the disabled option will result in the journal service being suspended, and any error conditions related to the connection will be reset. This is useful if a journal mailbox is going to be offline for an extended period of time. When the journal mailbox is once again available, be sure to enable activity before removing the check.

    Any changes made to this checkbox are recorded in the event log.

    Use SMTP Authentication

    Can be enabled for enhanced security features. Once checked, this produces an additional field where a password should be entered. This password, along with the journal email address will be used as the SMTP-AUTH credentials.

    In order to make use of the authentication option, an SMTP Send Connector is required on the Exchange server for SMTP Journaling.

    Initial Process DelayAdvanced configuration options that should be left as the default values (default = 0), unless working on a Journaling issue with Mimecast Support. Determines the time to wait before attempting to match a message to the archive.
    Delivery Wait AttemptsAdvanced configuration options that should be left as the default values (default = 3), unless working on a Journaling issue with Mimecast Support. Determines the number of tries the system attempts to match a message before it is archived.
    Period of Inactivity AllowedDefines how long the SMTP connector is allowed to be inactive without receiving any messages, before it is reported as being "down" (default = 180 minutes). Consider the setting carefully according to your Exchange Server environment. For example, if you operate in an environment with low email volumes, the connector is likely to handle a small Exchange database. Therefore, you can set this value to a much higher value than the default to cater for quiet periods (e.g. overnight) and/or smaller email databases.
    Journal Type

    Specify the Journal type as either Exchange Envelope Journaling (EEJ) or Standard EML.

    Mimecast supports Journaling of emails (EML) in standard MIME format (without the EEJ wrapper), and emails journaled in EEJ format. Standard emails (EML) files can only be assigned to mailboxes based on the message headers (which may not be reliable, and does not include BCC recipients). Exchange Envelope Journal emails are the preferred option in terms of accuracy when determining the recipients for an email.

     

    An additional feature of the Exchange Envelope Journaling service is that it “steps down” to handle incorrectly enveloped messages in an EEJ mailbox. On occasions, journal mailboxes may receive non-envelope journaled emails. These messages would normally cause the journal service to fail. Mimecast auto-detects these malformed messages and absorbs them as normal emails, even though the journal mailbox is set to EEJ.

    EncryptedThis option is selected by default, but is not required. If checked, Mimecast will only accept Journal messages over TLS. Journal messages not sent over TLS will be rejected.
    Prefer Clear Text VersionEnable this option for Active Directory Rights Management Services protected journal items.
    Journal Non Internal AddressesWhen enabled, items processed by the Journal Connector that do not hold any internal addresses will be archived.
    Journal Unknown Internal AddressesWhen enabled, items processed by the Journal Connector that are sent from or sent to unknown internal addresses will be archived.
  6. Click the Save and Exit button. The journal definition is created.

journalDef7.png

 

Configure Journaling Sub Domain in Mimecast

This step is not required when setting up Office 365 in a hybrid environment, if you've previously set up a journal sub-domain and journal connector. Only one journal connector is required on the Mimecast side, and both the On Premesis server and O365 can be configured to send journal messages to the same email address (e.g. journaling@journal.domain.com where domain.com is the primary SMTP domain).

With the journal.domain.com email address set in Mimecast, you'll need to add the journal sub domain as well. To accomplish this:

  1. Click on to Administration | Directories | Internal Directories menu item.
  2. Click the Register New Domain button from the top of the page. This displays a 3 stage wizard process
  3. Review the information displayed, then type the name of the new Domain in the appropriate field:

    addDomain1.png
  4. Click the Get Verification Code button to. This concludes the steps involved in creating the Journal Sub Domain in Mimecast.
    You'll notice that step 2 is skipped because your parent domain already exists

If you'd need to edit the sub domain, see the Email Domains page for further details.

 

Configure an External Contact in Office 365

 

  1. In the Exchange Admin Center navigate to the Recipients | Contacts menu

    Exchange_Admin_Center_Contacts.png

  2. Click the + icon to create a new contact.
  3. Complete the values on the form.
  4. Select Save.
    Ensure that the External Email Address for your contact matches the address used in the Mimecast Journal connection.

Configure the Office 365 Send Connector

Mimecast has observed that this process can only be successfully completed using Internet Explorer due to an issue with the controls used in the final validation step.

  1. In the Exchange Admin Center Select the Mail Flow | Connectors menu item and create a new connector.
  2. Complete the dialog as follows:

    Field / OptionDescription
    FromSelect the "Office 365" option from the drop down list.
    ToSelect the "Partner Organization" option from the drop down list.
  3. Click the Next button to display the New Connector dialog.
  4. Complete the New Connector dialog as follows:

    Field / OptionDescription
    NameProvide a name for the Connector (e.g. Office 365 to Mimecast).
    DescriptionOptionally, provide a description for the Connector. Whilst this is not compulsory, it is good practice to do so.
    Turn It OnIf this option is checked, the connector is enabled and active.
  5. Click the Next button.
  6. Ensure the Only when email messages are sent to these domains option is selected.
  7. Click the Plus Icon to add the recipient domains that should use this connector.

    new_connector.png
  8. In the Add Domain dialog, enter the domain of the external contact you created for this journal connection.

    add_domain.png
  9. Click the OK button to return to the New Connector dialog.
  10. Ensure the Route email through these smart hosts option is selected.
  11. Click the Plus Icon to add the smart hosts that should use this connector.

    add_smarthost.png
  12. Add the smart hosts from the table below for the region where your Mimecast service is hosted.

    RegionHostname
    North America

    us-smtp-journal-1.mimecast.com

    us-smtp-journal-2.mimecast.com

    Europe and Australia

    eu-smtp-journal-1.mimecast.com

    eu-smtp-journal-2.mimecast.com

    South Africa

    za-smtp-journal-1.mimecast.co.za

    za-smtp-journal-2.mimecast.co.za

    Australia

    au-smtp-journal-1.mimecast.com

    au-smtp-journal-2.mimecast.com

    Off Shore

    je-smtp-journal-1.mimecast-offshore.com

    je-smtp-journal-2.mimecast-offshore.com

  13. Click the Save button to return to the New Connector dialog.
  14. Click the Next button.
  15. Ensure the following options are checked:
    • Always use Transport Layer Security (TLS) to secure the connection
    • Issued by a trusted certificate authority (CA)

      connector2.png
  16. Click the Next button. The connector's details are displayed.
  17. Click the Plus Icon to add an email address of a recipient from a domain external to your organization.

    validate.png
  18. Click the Validate button.
  19. Disregard any errors in the validation and click the Save button.

 

Create the Office 365 Journal Rule

 

Before you can create a Journal rule in Exchange Online, you must specify the alternate journaling recipient for undeliverable journal reports. If a journal report can’t be delivered to the journaling mailbox specified in a journal rule, it is queued in Exchange Online for some time. If the condition persists for a longer period and queued journal reports can’t be delivered to the Journaling mailbox, they’re delivered to the alternate journaling recipient.

Journal Rule

 

To specify an alternate Journaling recipient for undeliverable journal reports:

  1. Click the Compliance Management left hand menu item in the Exchange Admin Center.
  2. Click the Journal Rules link in the toolbar.
  3. Click the Select Address link. The Non-Delivery Reports popup dialog is displayed.
  4. Click the Browse button to display your list of users in another popup dialog.
  5. Select the required User.
    Microsoft recommends you specify a dedicated email address, because the specified email address will not have its own mail journaled. The specified email address is also used as the From address when O365 journals the messages to Mimecast. Therefore it needs to be an email address in the customer's domain. Failure to do this, results in a rejection.
  6. Click the OK button to return to the Non-Delivery Reports popup dialog.
  7. Click the Save button.

 

Following on from above, to create a journal rule:

  1. Click the  icon to display the New Journal Rule dialog.
  2. Complete the dialog as follows:

    Field / OptionDescription
    *Send Journal ReportsEnter the email address of your journal contact. This address will receive the journal reports.
    NameEnter a name for the journal rule.
    *If the Message is Sent to or Received FromSelect the "Apply to all Messages" option from the drop down.
    *Journal the Following MessagesSelect the "All Messages" option from the drop down.
  3. Click the Save button.

 

Verify Office 365 Premium Journaling

 

Once your journaling configuration is complete, you can verify that the connections are working. To accomplish this, do the following:

  1. Log on to the Administration Console.
  2. Select the Administration | Services | Journaling menu item.
  3. Note the Service Status of the Journaling connector:

    journalVerify1.png

    IconService StatusDescription
    Pending.gifService Awaiting Initial RunOn initial configuration, the status icons for SMTP journal connectors will be orange, with a service status of Service Awaiting Initial Run
    Successful.gifService OKOnce the first message is received by the connector, the icon will change, and the status updated to Service Enabled
    Failed.gifService ErrorIf Mimecast cannot connect to the Journal connector and retrieve emails, the status will change to Service Error

    If the connector configuration is not successful, see the Troubleshooting Journaling article.
  4. View the current list of Journaling items by clicking the Queue Details button:

    journalVerify2.png
For Exchange Envelope Journal Format (EJF), the actual recipient is displayed as the sender and the journal address as the recipient.

Now that journaling has been configured and working for Office 365, you can move on to step 5 in the connect process; Connect.

2 people found this helpful

Attachments

    Outcomes