9.13 SMTP archiving
|
| < Day Day Up > |
|
SMTP archiving is different from message journaling, which takes a copy of every message flowing through a server and stores it in a preset destination, normally a mailbox or public folder. SMTP archiving is a debug tool that you can use to capture the entire content of SMTP messages, including all the header information that details the passage of a message through various servers, as files in an archive directory. You can then examine the content to determine where problems lie. For example, an application might generate malformed SMTP messages, which do not strictly follow the SMTP formatting rules as laid down in the RFCs, and so will not be displayed correctly by a client.
Exchange implements SMTP archiving through an event sink, which traps two transport events fired by messages as they move through the Routing Engine. The events are "OnMessageSubmission," which fires once by every message as it is submitted. After a message is categorized (all the recipients are known, including distribution list), the "OnPostCategorize" event fires and could potentially generate an additional copy of a message to handle the situation where some recipients must receive messages in a predetermined format. Capturing messages after submission is an effective way to capture copies of all traffic on a server, while enabling postcategorization capture ensures that Exchange can capture copies in all formats. By default, the archive sink only captures messages after submission.
Only turn on SMTP archiving when you have good reason. A busy server generates thousands of messages hourly, perhaps far more than you anticipate, because you are not 100 percent aware of all the traffic that the server handles. By default, SMTP archiving does not capture system-generated messages such as replication messages. To enable the archive sink, you go to the directory that contains the Exchange binaries and run the archivesink_setup.vbs script as follows:
C:> cscript archivesink_setup.vbs 1 install c:\exchsrvr\bin
The "1" referenced here means the default SMTP virtual server; if you have multiple virtual SMTP servers on a system, you need to enable archiving for each server. The code for the archive sink is in archivesink.dll, and Microsoft originally provided it in the Exchange resource kit. However, the archiving sink is part of the Exchange kit from Exchange 2000 SP2 on. Exchange 2003 upgrades its functionality slightly by ensuring that the sink can capture messages addressed solely to BCC recipients. This is a useful upgrade, because it is common practice to address messages to large distribution lists added as a BCC recipient to prevent users from causing a mail storm by replying to everyone on the list when they want to ask a question about the content of the message. When activated, the sink attaches itself to the two transport events and begins to capture messages. The archive sink also writes a set of entries to the system registry to control its operations, as shown in Figure 9.47. Again, you need to make the set of registry entries for each SMTP virtual server. You can modify the registry settings to tweak the archive sink, as shown in Table 9.7.
Figure 9.47: SMTP archive registry entries.
| Setting | Default Value | Meaning |
|---|---|---|
| Archive System Messages | 0 (off) | Set to 1 to force capture of system messages. |
| Dump P1 | 0 (off) | Set to 1 to force inclusion of P1 (envelope) data in message copies. |
| Enable MAPI-Gateway Messages | 1 (on) | Capture messages submitted by MAPI clients, including OWA and the MTA. |
| Enable PostCat | 0 (off) | Set to 1 to force capture of messages after the categorization process. |
| Enable PreCat | 1 (on) | Capture messages after submission. |
| Enable SMTP messages | 1 (on) | Capture messages submitted by SMTP clients (including SMTP- based connectors, other Exchange servers in the same RG, and IMAP4 and POP3 clients). |
| MAPI-Gateway Messages | Directory | Location to store messages originating from MAPI clients |
| SMTP Messages | Directory | Location to store messages originating from SMTP clients |
Note that the Exchange 2000 version of the archive sink does not capture messages sent to BCC: recipients. However, if you run Exchange 2000 SP3 and install the post-SP3 roll-up patch (see Microsoft for details), you can configure the archive sink to capture BCC: recipients by creating a new DWORD value in the system registry at the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeTransport\Parameters\JournalBCC
Set this value to 1 to capture BCC recipients. The default is 0, meaning that the archive sink only captures TO: and CC: recipients. The Exchange 2003 version of the sink captures all recipient types.
Apart from considering whether to capture BCC: recipients, the most obvious change you should make to the default settings is to move the archive directories away from their default location under the directory holding the Exchange binaries. It is best to place these directories on a disk that has a lot of free space, just in case the archived messages fill the disk (perhaps because you do not turn archiving off) and stop some other process. The archive sink does not respond to changes made to registry settings until the next time IIS restarts. Effectively, because of the dependency that exists between Exchange services and IIS, this means that you have to stop and restart Exchange.
The archive sink captures messages in their raw format. Figure 9.48 shows two sample messages and the type of file names that you can expect.
Figure 9.48: Reading SMTP archived messages.
All of the files have an .eml extension. The top message came in through a routing group connector, so it is a standard SMTP/MIME structure. Note that these messages include both plain text (which you can see) and MIME content (below the portion shown in the screen shot). The bottom message is a response to the first message generated using Outlook's "reply" function. In this case, Outlook sends the message in MS-TNEF, the internal format that Exchange uses to transfer messages if there is no need to convert the content to MIME. Exchange transports this content as an attachment called WINMAIL.DAT. People cannot read MS-TNEF or the attachment, so you will not see useful data in these messages unless the originator decides to use a client-specific option to generate plain text format.
Archiving uses a lot of disk space, so be sure to disable it as soon as you have captured enough messages to analyze any potential fault. Remember that archived messages may contain confidential and sensitive material, so you should also ensure that the archive directories are secure from prying eyes. To disable archiving, you run the archivesink_setup.vbs script again as follows (also shown in Figure 9.49):
C:> cscript archivesink_setup.vbs 1 install c:\exchsrvr\bin
The archivesink_setup.vbs script removes all of the registry entries that control archiving when it deinstalls the archive sink. In Exchange 2003, you can stop the sink without removing it. Because of a bug, this is not possible in the version provided in Exchange 2000.
Figure 9.49: Disabling the SMTP archive sink.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 188