Manage Learn to apply best practices and optimize your operations.

Create a journal rule in Exchange 2007 to secure journaling mailboxes

There are several regulations in Exchange Server 2007 regarding message retention, many of which require you to guarantee that your archives can't be tampered with. Because storing journaling archives off-site isn't allowed in Exchange 2007, you must mail-enable a contact to secure your Exchange journaling mailboxes from attacks. Learn how with this tip.

Exchange Server 2007 normally only allows you to send journal reports to Exchange mailboxes. Even so, there are numerous regulations regarding email archiving, many of which require you to ensure that your archives are tamper-resistant. Although storing journaling archives off-site was a suitable method in previous Exchange versions, Exchange Server 2007 doesn't allow this. Get an explanation of Exchange 2007's journal rules for message-retention, then learn how to create a mail-enabled contact in Exchange 2007 that makes journaling mailboxes tamper-proof.

One way to ensure that messages can't be tampered with is to store them off-site. For example, some organizations set up Web hosting accounts with ISPs to obtain an additional domain. They then create a mailbox in this domain and use it to store journaling reports.

Because the mailbox is stored on an off-site ISP server, there's no way for an unauthorized person to access it, even if he or she were able to hack into the Active Directory (AD). With this approach, only two people within the company are given access to the mailbox, one of whom is typically the designated contact for the message archives.

This lead contact often is the head of the company's IT, HR or legal department. The second contact is a backup. Depending on the company, the backup contact may or may not know the mailbox password offhand.

There is a distinct advantage to storing your journaling archives on an off-site, hosted mail server; however, Exchange Server 2007 doesn't allow this technique. In fact, Exchange Server 2007 has two rules regarding journaling mailboxes.

  • The Exchange mailbox must reside on one of your company's mail servers.
  • The Exchange mailbox must already exist at the time you create the journaling rule.

How do you get around these restrictions? When you create a journal rule, Exchange Server checks Active Directory to ensure that the designated journal mailbox exists. Exchange not only looks for a mail-enabled user account, it also checks for mail-enabled contacts. A mail-enabled contact can be pointed to an external SMTP address.

More on Exchange 2007 journaling and message retention:
Exchange Server 2007 journaling tutorial

Email archiving and retention with Exchange 2007 managed folders

Email archiving: Planning, policies and product selection

To create a mail-enabled contact in Active Directory, open the Active Directory Users and Computers console, right-click on the Users container and choose New -> Contact from the menus. When prompted, enter the first name, last name, full name and display name of the contact you're creating and click OK.

Wait a bit for the new contact to replicate to the other domain controllers, and then open the Exchange Management Console. If you attempt to create a journaling rule immediately, you won't be allowed to choose the contact as the journal's email address. You'll need to mail-enable the contact first.

To mail-enable a contact, navigate through the console tree to Recipient Configuration -> Mail Contact. Next, right-click on the Mail Contact folder and choose New Mail Contact from the menu. This will launch the New Mail Contact wizard.

The wizard's initial screen asks if you want to create a new contact or use an existing contact. Choose Existing Contact and then select the contact that you created earlier.

Click Next, and you will be prompted to enter an external SMTP address for the contact. This is the journal's email address.

Click Next and then New to mail-enable the contact.

If you attempt to create a new journaling rule, the mail-enabled contact should be listed among all of your Exchange mailboxes when you click Browse. When you select the contact that you just created, all journal reports will be sent to the external email address associated with the contact.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services (IIS) and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.