Exchange 2003 POP3 & POP3S Journaling

Document created by user.oxriBaJeN4 Employee on Sep 14, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 4Show Document
  • View in full screen mode

This guide details the steps involved in configuring POP3 and POP3S Journaling for Exchange 2003 and the requirements and steps to make it work within the Mimecast ecosystem.

POP3 is NOT supported for Mixed Mode Environments. For more information on Mixed Mode Environments, please see the Journaling in a Mixed Mode Environment article.

In order to enable POP3 and POP3S Journaling in your environment, ensure that the following has been considered:

  1. Journaling needs to be enabled for individual mailbox stores on the Exchange Server.
  2. It's important NOT to enable Journaling for your entire organization at once as this might create too much overhead for your Exchange Server.

 

Create a Journal Definition In Mimecast

 

The first step in in configuring POP3 Journaling for Exchange 2003 is to create a Journal Definition within the Administration Console (Adcon) in Mimecast.

 

To accomplish this, do the following:

  1. Sign into the Mimecast Administration Console.
  2. Navigate to Administration | Services | Journaling:
  3. Click on the New Journal Service Definition button:
    journalDef2.png
  4. Under Journal Service Properties in the Description field, enter a relevant name for the definition:
    journalDef3.png
  5. In Transport Type pull-down, select POP3:
    journalDef4A.png
  6. Complete the fields as described below:
    journalDef5A.png
FieldDescription
Disabled

Allows journal services to be taken offline without removing the Journal Service Definition.  Using the disabled option will result in the journal service being suspended, and any error conditions related to the connection will be reset.  This is useful if a journal mailbox is going to be offline for an extended period of time. When the journal mailbox is once again available, be sure to enable activity before removing the check.

Any changes made to this checkbox are recorded in the event log.

Service Email AddressThis is the mailbox email address that has been configured for the Journal mailbox.
Mailbox NameThe username that Mimecast will use when logging on to the Journal mailbox.
PasswordThis is the Journal mailbox password, which will automatically be hashed out when entered.
Hostname/IP AddressThe public address of the server where the Journal mailbox is located.
PortConfirm the TCP/IP Port number to be used for the connection to the journal mailbox (either port 110 for POP3 or 995 for POP3S).
Journal Type

Specify the Journal type as either Exchange Envelope Journaling (EEJ) or Standard EML

Mimecast supports Journaling of emails (EML) in standard MIME format (without the EEJ wrapper), and emails journaled in EEJ format.  Standard emails (EML) files can only be assigned to mailboxes based on the message headers (which may not be reliable, and does not include BCC recipients).  Exchange Envelope Journal emails are the preferred option in terms of accuracy when determining the recipients for an email.

 

An additional feature of the Exchange Envelope Journaling service is that it “steps down” to handle incorrectly enveloped messages in an EEJ mailbox.  On occasions, journal mailboxes may receive non-envelope journaled emails. These messages would normally cause the journal service to fail. Mimecast auto-detects these malformed messages and absorbs them as normal emails, even though the journal mailbox is set to EEJ.

EncryptedThis checkbox is selected by default. Mimecast will only accept Journal messages by Opportunistic TLS. Any other Journal messages will be rejected. Also, the Port Number is set to 995 by default.
Encryption Mode

Used with POP3S, and can only be configured by Mimecast Support.  By default, Strict mode is selected:

POP3_Encryption_Mode.png

  • Strict - Trust Enforced: Utilized in conjunction with trusted root certificate authorities
  • Relaxed: Permits encryption with self-signed certificates and other valid certificates which may not have a complete trust chain
Detailed LoggingThese logs are only available to Mimecast support staff, and are used to troubleshoot failed Journal connections.
Journal Non Internal AddressesWhen enabled, items processed by the Journal Connector that do not hold any internal addresses will be archived.
Journal Unknown Internal AddressesWhen enabled, items processed by the Journal Connector that are sent from or sent to unknown internal addresses will be archived.

 

7. Once completed, click Save and Exit:

journalDef7.png

This concludes the steps involved in creating a Journal Definition in Mimecast.

 

Create New Journaling Mailbox

 

Next configure POP3 Journaling for Exchange 2003 is to create a dedicated Journal mailbox. Emails will be journaled to this mailbox, and the mailbox access details will be configured in Mimecast in order for the emails to be collected and added to the Archive.

You need to create one Journal mailbox for every information store for which you will be enabling Journaling.

To accomplish this, do the following from within your Exchange 2003 environment:

  1. From within your Active Directory server, navigate to Start> Programs> Microsoft Exchange> Active Directory> Users and Computers.
  2. Expand the Domain and right-click the Users node, then select New> User.
  3. Enter the following information into the fields:
    • First Name - mimecast
    • Last Name - journal
    • User Logon Name - mimecastjournal
    • User Logon Name (pre-Windows 2000) - mimecastjournal
  4. Click Next when completed.
  5. Enter the journal password and then:
    • Deselect: "user must change password at next logon"
    • Enable:
      • "user cannot change password"
      • "password never expires"
      • "account will not lockout"
  6. When completed, click Next.
  7. Check Create an Exchange Mailbox.  Then, under Server select a store that resides in a different location than the server the Exchange Mailbox is being created on.
  8. Under Mailbox Store select the user created in step 3 above.
  9. Click Next to continue.
  10. Click Finish to create the new user.

 

This concludes the steps involved in creating a New Journaling Mailbox.

 

Configure the Firewall

 

Configure the Firewall to allow and forward bi-directionally. The rule should go from Mimecast to Exchange and from Exchange to Mimecast. You'll need to open either:

  • Port 110 (POP3)
  • Port 995 (POP3S - encrypted communications to the Exchange server containing the Journal mailboxes)

POP3S requires an SSL certificate signed by one of the Mimecast supported root certificate authorities, please see the Secure Socket Layers (SSL) Certificates article for more information.

Enable the POP3 Service and Virtual Server

 

The next step in this process is to enable the POP3 service.

BEFORE STARTING THIS STEP, PLEASE ENSURE THAT YOU HAVE CREATED THE JOURNAL CONNECTORS IN YOUR MIMECAST ACCOUNT AS DESCRIBED ABOVE.  IF THE JOURNAL CONNECTORS ARE NOT CREATED AND CONNECTIVITY HAS NOT BEEN TESTED, YOU WILL ENCOUNTER ISSUES WITH MAIL BUILD UP IN THE JOURNAL MAILBOXES THAT MIMECAST WILL NOT BE ABLE TO RESOLVE.

To accomplish this, do the following from the Exchange 2003 environment:

  1. Click Start and Run.
  2. Type services.msc and then click OK.
  3. Navigate to Microsoft Exchange POP3 and check the status of the service.
  4. Ensure that it's set to automatic and that the status is Started.

 

Next, enable the POP3 Virtual Server:

  1. Open the Exchange System Manager (ESM) on the relevant Exchange server.
  2. Expand Administrative Groups.
  3. Expand First Administrative Group (or the relevant group if it has been renamed or if multiple groups exist).
  4. Expand Protocols then expand POP3.
  5. Check that the POP3 Virtual Server does not have a red cross over it. If there is a red cross present, this means that the POP3 Virtual Server is disabled.
  6. To enable the POP3 Virtual Server, right-click on the virtual server and select Enable.
  7. Expand First Storage Group (or the relevant group if it has been renamed or if there are multiple groups).
  8. Right-click on the relevant mailbox store and select Properties.
  9. Check the Archive all messages sent or received by mailboxes on this store option.
  10. Click on the Browse option, and select the name of the user account/mailbox that has been created previously as the Journal mailbox.
  11. Click OK

    It is important not to enable Journaling on the Exchange message store before you have tested and confirmed that Mimecast can connect and successfully extract messages.  Otherwise, messages may build up in the Journal mailbox, which can lead to degradation in the performance of your Exchange Server.

This concludes the steps involved in enabling the POP3 service and virtual server.

 

Next, move on to Enable Envelope Journaling section of this article.

 

Configuring POP3S

 

Mimecast can connect to your Microsoft Exchange Journal mailbox using secure POP3 (POP3S) in order to extract the internal Journaled messages.  POP3S first needs to be enabled on the domain controller.  Please see the steps in the Obtain and install SSL certificates - Exchange 2003 article for guidance on how to Install a SSL Certificate on the server.

Once the certificate has been installed on the server, you need to bind it to the POP3 virtual server.

  1. Open the Exchange System Manager.
  2. In the left pane, expand the appropriate Administrative Groups container.
  3. Expand the Servers container then expand the target server.
  4. Expand Protocols then expand POP3.
  5. Right-click Default POP3 Virtual Server and select Properties from the drop-down list.
  6. Select the General tab, and choose an IP address to bind the POP3 service to, or choose (All Unassigned). If you want to change the default port number used by this POP3 virtual server, click the Advanced button and enter those ports. If required, limit concurrent connections and time-out time in minutes.
  7. Click Authentication to set the authentication method for this POP3 virtual server, If desired, require SSL/TLS (Secure Sockets Layer/Transport Level Security) encryption to prevent network sniffing of credentials and message content:

    POP3S_Authentication.png

  8. To enable SSL for POP3 clients (Mimecast), click Certificate and step through the Web Server Certificate Wizard:

    POP3S_Authentication.png
    Once the server has been configured to use an SSL certificate, you can set the requirement for all communication for this virtual server to take place on SSL.

  9. Click on the Communication button in the Secure communication frame:

    POP3S_Communication.png

  10. Put a check mark in both the Require secure channel and Require 128-bit encryption checkboxes.This option forces the POP3 client to negotiate a secure TLS connection before any credentials or data is transferred between the POP3 client and server.
  11. Click the OK button.

 

This concludes the steps involved in configuring POP3S.

 

Next, move on to Enable Envelope Journaling section of this article.

 

Enable Envelope Journaling

 

You're almost there. Lastly you'll need to enable Envelope Journaling from the Exchange 2003 environment.

 

To accomplish this, do the following from within Exchange 2003:

  1. Download the E-Mail Journaling Advanced Configuration tool (exejcfg.exe) from the Microsoft website
    This tool can be executed from any server with access to Active Directory, but it's recommended to run it from a Domain Controller.
  2. Unzip the exejcfg.exe executable to a directory of your choice.
  3. Open a command prompt.
  4. Navigate to the folder which you placed the exejcfg.exe
  5. To enable envelope journaling, type exejcfg.exe -e and press enter.
  6. To ensure Journaling has been enabled, in the command prompt, type exejcfg –l
    The output will be something similar to:

    HT_Enable_Journal_2000_Output.png

This concludes the Envelope Journaling configuration process.

 

Verify Exchange 2003 POP3 or POP3S Journaling

 

Now that all the Envelope Journaling configuration is complete. It's time to verify that the connections are working.

 

To accomplish this, do the following from the Mimecast Administration Console:

  1. Log into the Mimecast Administration Console.
  2. Navigate to Administration | Services | Journaling:
  3. Note the Service Status of the Journaling connector:

    journalVerify1.png

    IconService StatusDescription
    Pending.gifService Awaiting Initial RunOn initial configuration, the status icons for SMTP journal connectors will be orange, with a service status of Service Awaiting Initial Run
    Successful.gifService OKOnce the first message is received by the connector, the icon will change, and the status updated to Service Enabled
    Failed.gifService ErrorIf Mimecast cannot connect to the Journal connector and retrieve emails, the status will change to Service Error

    If the connector configuration is not successful, please see the Troubleshooting Journaling article.
  4. View the current list of Journaling items by clicking the Queue Details button:
    journalVerify2.png
    For Exchange Envelope Journal Format (EJF), the actual recipient is displayed as the sender and the journal address as the recipient.

Now that journaling has been configured and working for Exchange 2003 POP3, you can move on to step 5 in the connect process; Connect

Attachments

    Outcomes