Use messaging records management and transport rules to achieve compliance
Over the last several years, many laws have been passed that set specific requirements for email retention. Although various third-party products such as AdvisorMail, Optiva Systems's ArcMail E-Mail Defender, and Quest Software's Quest Archive Manager can help organizations running Microsoft Exchange Server 2003 comply with these regulations, Exchange 2003 wasn't designed with long-term mail retention in mind. Not surprisingly, Exchange Server 2007 addresses these shortcomings. Although Exchange 2007 probably won't be completely compliant with federal regulations such as the Sarbanes-Oxley (SOX) Act right out of the box, it offers mechanisms that make achieving compliance easier.
This article was written in November 2006. As such, information that I discuss here is based on a beta version of Exchange 2007 and could potentially change by the time the final product is released. However, Microsoft is far enough into the beta cycle that I don't anticipate any major changes to the way that Exchange 2007 works.
Messaging Records Management
When you hear people discuss making a mail server compliant with the latest regulations, one central theme that usually comes up is message archiving. Various laws require email to be retained for specific lengths of time. But you can't depend on users to save a copy of every message. Even if users consistently saved all their mail, locating specific messages on demand would be nearly impossible because the messages would be scattered among the users' mailboxes.
An Exchange 2007 feature that can help make message archiving easier and more reliable is messaging records management, which lets you assign retention rules to specific folders. When used in conjunction with transport rules, messaging records management can sort and archive messages according to your company's needs.
To demonstrate how messaging records management works, suppose that you want to keep users' mailboxes clean by implementing an email-retention policy mandating that any message more than three months old be deleted. Let's also suppose that you're required to keep any messages related to the Contoso account for five years.
In a situation like this, you could create a managed custom folder with a five-year retention period. You could then create a mailbox that's used solely as a repository for messages related to the Contoso account. Because this mailbox has a special purpose, you wouldn't apply your regular retention policy to it. Instead, you'd create a transport rule that captures any message mentioning the Contoso account and sends a copy of the message to the designated mailbox. Then you'd use a Microsoft Office Outlook rule to move messages arriving in the mailbox to the managed custom folder with the five-year retention period.
If you're used to running Exchange 2003, this method probably seems completely foreign to you. But the technique sounds more difficult than it really is. For an outline of the procedure, see the sidebar "Step-by-Step Email Retention in Exchange 2007". Now, let's look more closely at how to implement it.
Create a Managed Custom Folder
The first step in this technique is to create a managed custom folder and assign a five-year retention period to it. To do so, open Exchange Management Console (formerly known as Exchange System Manager) and expand the Organization Configuration container, then select the Mailbox container beneath it. The console's middle pane displays a series of tabs related to the Mailbox container. Select the Managed Custom Folders tab, then right-click in the empty area beneath it. Choose the New Managed Custom Folder command from the resulting shortcut menu to launch the New Managed Custom Folder wizard. (Managed folders are available organization-wide, so you can apply them to any mailbox throughout the organization.)
As you can see in Figure 1, you start by entering a name for the new folder. For this scenario, enter Contoso Account as the folder name. As you enter the name, the text box below it automatically fills in the name that users will see when they view the folder in Outlook. You can enter additional text in the large text box so that it's displayed when users view the folder through Outlook. For this example, enter the following text: All messages related to the Contoso account must be retained for five years. Finally, select the Do not allow users to minimize this comment in Outlook check box. (Note that only Microsoft Office Outlook 2007 and Microsoft Outlook Web Access—OWA—2007 display this check box.)
Click the New button to finish creating the folder. Exchange displays a summary of the action along with the Exchange Management Shell command that you can use to script the action in the future. Click Finish to close the wizard.
Now that you've created the new managed folder, it's time to configure a retention policy for it. The Contoso Account folder now appears in the Mailbox container, as Figure 2 shows. To configure the folder's policy, select the folder, then click the New Managed Content Settings link in the Contoso Account pane on the right side of the screen.
At this point, the New Managed Content Settings wizard opens, as Figure 3 shows. Begin by entering a descriptive name for the new settings. Set the Message type option to All Mailbox Content, then select the Retention period (days) check box.
Because we're retaining messages for five years, enter 1827 (365 days × 5 years + 2 days for leap years). Set the retention period to start when an item is moved into the folder, then set the items to be permanently deleted when the retention period expires, as I've done in Figure 3. A permanent delete removes the item from the database, so users won't be able to use the Recover Deleted Items feature to retrieve items from the dumpster.
Click Next, and you'll see a screen explaining that journaling can be used to automatically forward a copy of an item to an alternate location. You might want to investigate using the journaling option in other scenarios, but for this example click Next to skip it, and you'll see a screen displaying a summary of the configuration settings you're implementing. Click New to create the settings. When the process is completed, click Finish.
Set a Mailbox Retention Policy
So far we've created a folder for the Contoso account and set a retention policy for it. As you'll recall, though, our other goal was to keep user mailboxes cleaned out by preventing messages from being stored for more than three months. To do so, we'll create a mailbox retention policy that's similar to the one we created for the Contoso Account folder.
Navigate through the Exchange Management Console tree to the Organization Configuration\Mailbox container. When you select the Mailbox container, the details pane displays a series of tabs. Select the Managed Default Folders tab to display a list of all the default mailbox folders.
Right-click the Inbox folder, and select New Managed Content Settings from the shortcut menu to launch the New Managed Content Settings wizard. As before, you'll enter a name for the new setting. Let's call this policy ThreeMonth Retention.
For this article, set the message type to All Mailbox Content. For other policy scenarios, you could segregate messages by categories such as documents, calendar items, meeting requests, voicemail, and so forth. Now select the Retention period (days) check box, and set the retention period to 90 days. Configure the retention period so that it begins when an item is delivered to the mailbox. Set the end-of retention-period action to move expired items to the Deleted Items folder.
Click Next, and you'll see the Journaling screen. For the purposes of this example, we're not interested in journaling copies of every message, so click Next. You'll see a summary of the new managed-content settings. Assuming that all the information is correct, click New to create the new policy. When the process is completed, click Finish. (Note that you could also apply this policy to the Sent Items folder.)Create a Managed-Folder Mailbox Policy
Although we've set a retention period for the Inbox, we still have to create a policy that references this retention period. The policy lets you group together multiple managed folders in a single step.
To create this policy, navigate through the console tree to Organization Configuration Mailbox. Select the Mailbox container, and click the Managed Folder Mailbox Policies tab in the details pane. Next, right-click in an empty area of the details pane and select the New Managed Folder Mailbox Policy command from the shortcut menu. When you do, Exchange launches the New Managed Folder Mailbox Policy wizard.
Once again, start by entering a name for the policy. For this scenario, call the policy Managed Folders. Now, click Add to reveal a list of available folders. Choose Inbox from the list and click OK, then New, then Finish.
At this point, repeat the procedure to create a second managed-folder mailbox policy. Let's call this one Contoso. You'll do everything the same as before except that rather than associating the policy with the Inbox, you'll associate it with the Contoso Account folder that you created earlier.
Associate the Policy with Mailboxes
You've created a policy that you can associate with the user's mailboxes to effectively place a three-month maximum retention period on mailbox items. To add the policy to a mailbox, navigate through the console tree to Recipient Configuration\Mailbox. The details pane displays a list of available mailboxes. Right-click the mailbox you want the policy applied to, and select the Properties command from the shortcut menu. Exchange displays the mailbox's properties sheet.
Select the properties sheet's Mailbox Settings tab, then select the Messaging Records Management option and click the Properties button. You should now see the Messaging Records Management dialog box that Figure 4 shows.
Select the Managed folder mailbox policy check box, then click Browse. You should see the policy created in the last step (we called it Managed Folders). Select this policy and click OK three times to close all open dialog boxes. The policy is now associated with the user account and should be active at this point.Create a Transport Rule
The next step in the process is to create a mailbox that can act as a repository for messages related to the Contoso account. Create this mailbox in the typical way. Go through the steps to associate a managed-folder mailbox policy with the new mailbox, and choose the Contoso policy.
Now that you've created a mailbox to act as a message repository, the next step is to move Contoso messages into the mailbox. The easiest way to accomplish this is to create a transport rule. Transport rules look at messages as they flow through the Exchange organization.
To create a transport rule, navigate through the console tree to Organization Configuration Hub Transport. Next, click the New Transport Rule link in the Actions pane to launch the New Transport Rule wizard.
The wizard's initial screen asks you to enter a name for the rule as well as an optional comment. Let's name the rule Contoso, and we'll add a comment indicating that the rule copies Contoso-related messages to a repository mailbox.
Click Next, and you'll see a screen asking you to select a condition for the rule to look for. There are many conditions that you can specify, but let's assume that a message will be considered to be related to the Contoso account if the word Contoso appears anywhere in the message subjector body. Therefore, select the when theSubject field or the body of the message contains specific words check box, as Figure 5, shows.
Notice in Figure 5 that specific words is underlined in the edit section in the bottom pane. Click the specific words link to enter the words you want the rule to apply to. In this case, just enter Contoso.
Click Next, and you'll be prompted to select an action for the rule. In this case, choose the Blind Carbon Copy (BCC) the Message to Address option. Doing so will cause a copy of every message containing the word Contoso to be sent to the repository mailbox. Just as you clicked the specific words link earlier, you must now click the Address link to enter the email address that's associated with your repository mailbox.
To complete the process, click Next twice, followed by New and Finish. The new transport rule is now created.
Create an Outlook Rule
We're almost done except for one minor detail. The Inbox associated with the repository mailbox that we created doesn't have a message-retention policy associated with it. We need to guarantee that Contoso-related messages are retained for five years. We've created a managed custom folder that has a five-year retention period associated with it, though, so we just need to move messages from the Inbox folder to our managed custom folder.
Unfortunately, you can't do so through Exchange Management Console, but you can get the job done through Outlook by creating an Outlook rule. The procedure I'll describe is designed for use with Microsoft Office Outlook 2007.
Open the repository mailbox in Outlook, then choose Rules and Alerts from Outlook's Tools menu. When the Rules and Alerts dialog box appears, click the New Rule button. Outlook displays various rule templates. Click the Check Messages When they Arrive option found in the Start from a Blank Rule section, then click Next.
You'll see a screen displaying various rule conditions. Select the Where my name is not in the To box check box. Remember that our transport rule sends messages to this mailbox by using a BCC, so the mailbox owner's name should never appear in the To box.
Click Next, then select the Move it to the Specified Folder check box. Click Specified, and you'll see a list of folders. Select the folder to which the retention policy applies, then click Finish, followed by OK.Achieve Your Compliance Goal
As you can see, configuring Exchange 2007 to retain specific types of messages can be a lot of work. Nevertheless, doing so is usually worth the effort because messages required to be retained will all be grouped into a central folder that you can easily search for specific information. Messaging records management combined with transport rules will help you meet your organization's email-retention needs.