MMCUG Blogs

Journaling contains confidential information, and therefore, must be transmitted securely. The following sections describe the recommended steps for configuring journaling to an external entity by various means.

Journaling to a Trusted Exchange Mailbox

In deployments where mail is journaled to a trusted Exchange mailbox in an Exchange organization, the journal mailbox should be locked down so that only journals that are generated by the Exchange Server can be sent to the archive. This method ensures that journaling is not spoofed. The following procedure describes the high-level steps that are required to lock down the journal mailbox:

1.     Create a journal mailbox on the Exchange server that you are using for journaling.

2.     To make sure that journaling is not spoofed, follow these steps to set permissions on the journal mailbox so that only Exchange Server can send to it.

·         In the Exchange Management Console tree, expand Recipient Configuration.

·         In the result pane, select the Journal Mailbox created.

·         In the Actions pane, click Properties, and then select the Mail Flow Settings tab.

·         Select Message Delivery Restrictions from the list of settings.

·         Add Microsoft Exchange to the senders.

·         Select the Require that all senders are authenticated check box.

3.     Hide the journal mailbox from the GAL by using the General tab on the Journal Mailbox Properties page.

4.     Set the journal mailbox as the destination in the journal rule.

Journaling to an External Organization

In deployments where journaling is sent to an external entity, such as an off-site archive vendor, organizations should ensure the following conditions:

• Journaling is sent to the external archive over a secure, encrypted channel.
• The off-site entity is locked down so that only journaling from partners are accepted.
• The off-site archive is locked-down so that employees in an organization cannot spoof journaling.

The following procedure describes one method to help secure journaling to an external entity by using Exchange 2007.

1.    Configure routing in MyCompany.com to send journaling over a Send connector on which Transport Layer Security (TLS) is enabled. This should be configured only for the ExternalJournal.com address space.

2.    Configure ExternalJournal.com to accept messages from MyCompany.com over a Receive connector on which TLS is enabled.

3.    Create a contact in MyCompany.com that points to the journal mailbox in ExternalJournal.com.

4.    To make sure that journaling is not spoofed, follow these steps to set permissions on the contact so that only Exchange Server can send to it:

·         In the Exchange Management Console tree, expand Recipient Configuration.

·         In the result pane, select the Journal Mailbox created.

·         In the Actions pane, click Properties, and then select the Mail Flow Settings tab.

·         Select Message Delivery Restrictions from the list of settings.

·         Add Microsoft Exchange to the senders.

·         Select the Require that all senders are authenticated check box.

5.     Hide the journal mailbox from the GAL by using the General tab on the Properties page.

6.     Configure domain-secured e-mail between MyCompany.com and ExternalJournal.com.

7.     Create a contact in ExternalJournal.com for MyCompany.com.

a.    Set the contact’s address to MicrosoftExchange@MyCompany.com.