Introducing Journaling

Although you may not have any explicit applicable regulatory language that forces you to implement journaling, it can often be one of the easier ways to meet what requirements you do have. As compliance becomes more of an issue, the ability to quickly and easily put your hands on complete and accurate records of messaging communications will become critical.

Legacy Exchange offered rudimentary journaling; Exchange 2003 offered the ability to do envelope journaling, which finally captured sufficient information to be of general use. The base journaling mechanism used by Exchange 2007 is envelope journaling, which captures all recipient information (even Bcc: headers and forwards). However, you have two options for journaling:

• Standard journaling (per-mailbox database journaling) uses the Journaling agent on HT servers to journal all messages sent to and from recipients and senders whose mailboxes are homed on specified mailbox databases. also called per-mailbox database journaling.

• Premium journaling (per-recipient journaling) also uses the Journaling agent on HT servers, but it's more granular. It offers you the ability to design journaling rules for groups or even specific users if need be.

Implementing Journaling

The Journaling agent, present on your Hub Transport servers, is responsible for detecting whether a given message falls under your journaling rules. When you use standard journaling, you enable it for an entire mailbox database. Any messages sent to or by recipients whose mailboxes are located on a journal-enabled database will be detected by the Journaling agent and copies will be sent to a designated journal recipient . This journal recipient can be another recipient in the Exchange organization - if it is an Exchange mailbox it must be dedicated to the purpose - or an SMTP address on another messaging system.

When you use Premium journaling, you create journal rules that define a subset of the recipients in your organization. The Journaling agent on the Hub Transport server detects that the rule matches a given messages and again sends a copy of the message to the journal recipient.

Journaling rules can have three scopes, which helps the Journaling agent decide whether or not it needs to examine a given message:

• The Internal scope matches messages where all senders and recipients are members of the Exchange organization.

• The External scope matches messages where at least one sender or recipient is an external entity.

• The Global scope matches all messages, even those that may have already been matched by the other scopes.

If you are using an internal mailbox as your journaling recipient, you should be aware that it may collect a large amount of traffic. While you can use the same mailbox for all journal reports generated in your organization, you may need to create multiple mailboxes to control mailbox size and ensure that your backup windows can be maintained . These mailboxes should be kept very secure and safe from everyday access because they may one day be material evidence in the event that your business is sued or must prove compliance to auditors .

To guard against the loss of journaling reports in the event of trouble within your Exchange organization, you can designate an alternate journaling mailbox . This mailbox will receive any non-delivery reports that are issued if your journaling recipient cannot be delivered to. Unfortunately, you get to configure a single alternate mailbox for your entire organization. Not only can this cause performance and mailbox size issues, your local regulations may prevent you from mixing multiple types of journal information in one mailbox.

Reading Journal Reports

The journaling process creates a special Exchange message known as the journal report .This message is essentially a wrapper that contains a summary of the original message properties. It also contains a pristine copy of the original message that generated the report, neatly attached to the report. The reports are designed to be human and machine readable, allowing you to automate processing of journal reports via a third-party application as well as perform manual checks on the data.

Table 13.1 shows the fields that Exchange 2007 places in the journal report.

Table 13.1: Exchange 2007 Journal Report Fields
Open table as spreadsheet

Field	What It Contains
To	The SMTP address of a recipient in the To header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field.
Cc	The SMTP address of a recipient in the Cc header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field.
Bcc	The SMTP address of a recipient in the Bcc header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field.
Recipient	The SMTP address of a recipient who is not a member of the Exchange 2007 organization, such as Internet recipients or recipients on legacy Exchange servers.
Sender	The sender's SMTP address, found either in the From or Sender header of the message.
On-Behalf-Of	The relevant SMTP address if the Send on Behalf Of feature was used.
Subject	The Subject header.
Message-ID	The internal Exchange Message-ID.