What you need to know about compliance-driven journaling
Basel II. Graham-Leach-Bliley. HIPAA. Securities and Exchange Commission (SEC) Rule 17a-4. Sarbanes-Oxley. If you deal with email archiving, journaling, regulatory compliance, or some combination of these areas in your role as a messaging systems administrator or corporate email architect, you're probably familiar with these terms.
Increasingly, governmental requirements for storing electronic communications, specifically email, for audits or potential legal discovery are having a significant effect on messaging systems. Many companies are now implementing specific solutions and technologies to store all sent and received email for long periods of time.
Custom-designed archiving products such as VERITAS Software's KVS Enterprise Vault or Zantaz's Exchange Archive Solution (EAS) are designed to help companies conform to email-related compliance requirements. These products rely on the fundamental functionality that Exchange Server 2003 provides—the initial capture of sent and received email messages.
Understanding the basic differences between archiving, compliance, and journaling is helpful because their functions are often misunderstood, so I explain the differences as well as describe message journaling—one of the two types of journaling that Exchange performs. (I'll cover envelope journaling, the other form of Exchange journaling, in a future article.) The details of compliance requirements and how various legislation defines them are outside the scope of this article.
Archiving, Compliance, and Journaling
In the context of email and Exchange, the terms archiving, journaling, and compliance are often—and incorrectly—used interchangeably. Archiving refers specifically to removing email data from online Exchange databases to other storage media (e.g., near-line optical storage devices, offline vault-type systems). Often used to reduce the load on Exchange systems, archiving can be user-driven—for example, users can manually archive email messages or schedule a weekly or nightly process to move old messages from mailboxes to archive media.
Archiving is frequently used in conjunction with journaling, in which an application or product captures and moves to archive media all messages sent within, from, or to an Exchange database. Typically, journaled messages are stored online in Exchange databases.
Compliance is adherence to policies or regulations. Policy compliance refers to compliance with defined company policies by automatically journaling (and, often, archiving) certain email content. For example, your company might have a policy mandating that, to maintain an audit trail, all email messages from human resources (HR) staff to employees be retained. In contrast, regulatory compliance refers to complying with government regulations that require organizations to retain certain email content. For example, the Sarbanes-Oxley Act might require a public company to retain all communication from executive officers.
A Brief History
Exchange journaling functionality debuted in Exchange Server 5.5 Service Pack 1 (SP1), in which Microsoft introduced the ability to capture messages sent or received by a server and store them in a dedicated Exchange mailbox. Exchange 5.5 journaling suffered from significant shortcomings, most notably the inability to capture blind carbon copy (Bcc) recipients and expand distribution lists (DLs) to show the DL members as message recipients. For the purposes of compliance, all recipients of a message must be captured and logged, not just some of them.
Initially, Exchange 2000 Server journaling didn't offer any real functionality improvements over Exchange 5.5 journaling. However, Microsoft made significant improvements in Exchange 2003, overcoming the problems associated with Bcc recipients and DL expansion. Bcc recipient journaling support is available in Exchange 2003's message journaling. Exchange 2003 SP1's envelope journaling supports DL expansion journaling as well as Bcc recipient journaling.
Fortunately for organizations that are still running Exchange 2000, Microsoft has retrofitted these Exchange 2003 improvements to the post-SP3 Update Rollup for Exchange 2000. (For details, see the Microsoft article "An Update Rollup Is Available to Enable the Envelope Journaling Feature in Exchange 2000 Server" at http://support.microsoft.com/?kbid=834634.)
Exchange Message Journaling
Message journaling is the basic out-of-the-box form of journaling in Exchange 2003 and Exchange 2000. To enable message journaling on individual Exchange mailbox databases, select Archive all messages sent or received by mailboxes on this store on the Exchange database Properties tab, as Figure 1 shows. (Although Microsoft uses the word archive, Archive all messages sent or received by mailboxes on this store is a journaling function, not an archive function.)
When you enable message journaling for a database, Exchange copies all messages sent to or received by mailboxes that are homed in that database to a mailbox known as the journal mailbox. In Figure 1, I named the journal mailbox for the database CTZEX01 Archive. Microsoft recommends that you home a database's journal mailbox in a separate and distinct database from the one you're journaling. Although you can home a journal mailbox on the same database for which it's the journal recipient, journal messages that the journal mailbox receives aren't themselves journaled. Journal messages are exempt from message journaling, as are public folder replication messages and Active Directory—AD—replication messages. Make sure that you hide the journal mailbox in the Exchange Global Address List (GAL) so that users can't directly send email messages to it. It's also a good idea to set the permissions on the journaling mailbox so that users can't send email to it. Even though the journal mailbox might be hidden from the GAL, users would still be able to send email directly to it if they knew its SMTP address, so it's best to eliminate this admittedly remote possibility. Like any other Messaging API (MAPI) transaction, journal activity generates additional traffic to the Exchange transaction logs; keep this in mind when you consider system performance and size.
You must select an Exchange mailbox to receive the journaled messages because the Exchange Store writes some journaled attributes (e.g., Bcc recipient data) to the journal message only when the message is delivered to the journal mailbox. To specify a contact as the journal recipient (e.g., if you want to redirect journal messages to another email system or a dedicated archiving system), set an autoforward rule for the journal mailbox. You can also direct journal messages to a public folder. However, I don't recommend doing so—especially if you intend to use an archiving service in conjunction with journaling—because most archiving solutions extract messages from mailboxes, not from public folders.
Depending on your organization's size, distribution, and email volume, you might decide to create multiple dedicated journal mailboxes or even multiple dedicated journal servers. Before doing so, assess your company's requirements and keep in mind that enabling journaling on all databases will at least double the email volume and your storage requirements.
If you want to journal all messages sent by all users in your Exchange organization, you must select the Archive all messages sent or received by mailboxes on this store function for all Exchange databases, all storage groups (SGs), and all servers. If you want to journal messages for only a subset of your users and those users are grouped together by database, you can enable journaling on just the corresponding subset of your organization's databases. Thus, grouping certain users—executive officers, for example—in one database makes it easier to journal the messages of that group of users.
Message Journaling and P1 and P2 Headers
Message journaling effectively captures a copy of the message you want to journal and stores it in the journal mailbox. An Exchange message (which is, in effect, an SMTP message) contains two sets of headers: P1 and P2. P1 headers authoritatively define the originator and, more important, the recipients of a message. The Exchange routing functions use the P1 header to determine where to send the message. P2 headers are part of the message content and aren't used for routing purposes. Furthermore, P2 message headers are often inconclusive: a P2 header might define a generic SMTP account (e.g., email@example.com), but a rewrite rule in the mail system might rewrite this address to something more specific (e.g., firstname.lastname@example.org). Message journaling captures and stores P2 message headers, not P1 message headers.
A perfect analogy for these message headers is the address you use to send a conventional letter through the postal system. On the envelope, you write the address to which the post office will deliver the letter. You might also write that address at the top of the letter that's inside the envelope. However, the address on the letter isn't used for mail delivery; even if it's incorrect, the postal service will deliver the message to the address you put on the envelope. The address on the envelope is similar to the P1 address, and the address on the letter that's inside the envelope is similar to the P2 address.
Message Journaling and DLs
You can view messages journaled to the journal mailbox by simply logging on to the journal mailbox and using an Exchange client such as Outlook to view the messages. You can also use Outlook Web Access (OWA) to view journal messages, which is certainly simpler because it doesn't require MAPI profiles. The journaled messages will be stored in your Inbox just like any other message. Figure 2 shows a sample journaled message from the CTZEX01 Archive mailbox. As you can see, Neil Young sent the original message to Samantha Southwark, and the message was journaled to the CTZEX01 Archive mailbox. Display names—not actual SMTP addresses—are used throughout. (Thus, from a legal perspective, this journaled message proves only that an account that had a display name of Samantha Southwark received the message at 4:16 p.m. on November 30, 2004.)
Message journaling always uses the P2 headers for journaling purposes unless the message comes from outside the Exchange organization, in which case the P1 message header is journaled but the Bcc recipients are not. Bcc recipients are never listed in a message's P2 header, so Bcc recipients aren't identified in the message copy that's sent to the journal mailbox. Similarly, messages that are sent to DLs, then journaled through message journaling, display only the DL display name in the journaled message. No other details about the membership of the DL are available. Because the header doesn't specify to whom the message was sent, this situation is unsatisfactory for compliance purposes. Messages sent to external recipients, although journaled, reflect only the fact that mail was sent to a particular external SMTP address. If the external SMTP address is for a DL, for example, there's no way to determine the members of the DL.
You can't use message journaling to journal report messages. In other words, message journaling doesn't capture delivery notifications, nondelivery notifications, read receipts, or out-of-office notifications that are generated by or sent to a mailbox on a journaled database.
Bcc Recipients and Message Journaling
Message journaling doesn't capture Bcc recipients out of the box, but you can set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport\Parameters registry subkey to enable that functionality. To activate Bcc journaling, open a registry editor and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport. Create the Parameters subkey, then create a new REG_DWORD entry called JournalBCC and set its value to 0x00000001.
Create and set the JournalBCC subkey on every server on which you've enabled message journaling. You must also restart the SMTP service and the Information Store service on every server on which you set this registry subkey. All messages that are journaled after you've made this change will display the Bcc recipient information, as Figure 3 shows. Exchange 2003's Bcc message journaling function also displays the To and CC recipients on the Bcc line.
Bcc message journaling functionality is also available in Exchange 2000. However, you must run Exchange 2000 SP3 and the hotfix that Microsoft provides. For more information about the requirements and a description of the hotfix, see the Microsoft article "XADM: Bcc Information Is Lost for Journaled Messages in Exchange 2000" (http://support.microsoft.com/?kbid=810999).
Message Journaling Isn't the Be-All and End-All
We've looked at message journaling—the out-of-the-box and most basic form of Exchange journaling available in Exchange 2003 and Exchange 2000. Although message journaling provides support for message capture and Bcc recipients, it doesn't provide the full gamut of functionality that a comprehensive compliance system might require (e.g., support for DL expansion). In a future article, I'll provide a more detailed description of the mechanics of message journaling and outline an advanced form of journaling—envelope journaling—that supports DL expansion. Although both message and envelope journaling can capture and store messages, you shouldn't consider Exchange journaling as anything more than a single component in an overall archiving or compliance framework. Exchange isn't a compliance solution. You must also use complementary products such as archiving solutions or compliance systems.