Manage Learn to apply best practices and optimize your operations.

Using Exchange Server journaling as an email-archiving solution

As more companies choose to archive email messages for e-discovery, ensuring that those archives remain secure is paramount. In this tip, you'll learn how Exchange Server archiving and journaling differ. Plus, you'll discover how to use Exchange Server journaling as a secure email-archiving solution that can withstand hackers and man in the middle attacks.

Various federal regulations require an increasing number of companies to archive email messages for e-discovery....

Many more companies have been voluntarily archiving email to defend themselves in the event of a lawsuit. Lately, more are choosing to use Exchange Server journaling as an archiving method. In this tip, Microsoft Exchange expert Brien Posey explains the difference between journaling and archiving in Exchange Server, and describes how to secure your journaling archive.

Journaling and email archiving within Exchange Server are different. Archiving refers to removing old messages from the Exchange Server and placing them in a secure permanent repository. Journaling, on the other hand, places a copy of target email messages into a designated mailbox.

Journaling can work as an Exchange Server email archiving solution, but you must seriously consider security. If your company is subject to various federal regulations surrounding email archiving, then your archival solution must be tamper-resistant. Even if you're not technically required to archive email, but are doing so for your own protection, ensuring that your archiving solution is secure is still important. If you are involved in a lawsuit, your chances of winning in court may improve dramatically if you can prove that your archives are secure and messages haven't been tampered with.

How secure are your Exchange journaling archives?

Journaling doesn't offer the same level of archive protection as a commercial email archiving application. Therefore, how do you guarantee that no one has tampered with your journal archives? There are a few things that you can do to greatly improve the security of your journaling archives.

NOTE: If your organization is solely using Exchange Server 2007, then you don't have to do anything additional to ensure that journaling traffic is encrypted. Exchange 2007 automatically encrypts all traffic flowing between the hub transport server and the mailbox server.

First, you must ensure that archive content is tamper-resistant by encrypting the traffic that's flowing across the network. This makes man in the middle attacks much more difficult to perform. Man in the middle attacks can be used for a variety of different purposes. The basic idea behind a man in the middle attack is that a hacker positions himself between the sender and the recipient.

After doing so, the hacker spoofs the recipient's IP address, MAC address or some other mechanism to intercept packets intended for the recipient. Once the hacker has possession of the packets, he disassembles them and modifies their contents.

For example, a hacker could use this method to rewrite an email message to make it say something different or to make it look like it was addressed to a different set of recipients. Finally, the hacker transmits the modified packets to the original recipient.

More Exchange journaling and archiving resources:

Exchange Server journaling tutorial

Email archiving and e-discovery best practices for Exchange

Email archiving: Planning, policies and product selection


When the recipient receives the modified packets, it may or may not be obvious that they've been hacked. Typically, there won't be anything suspicious about the message's physical structure (at least not that a user would recognize), but he might get suspicious of the message's contents. For example, if a user was expecting a message from his boss approving a vacation schedule, but instead received one telling him to burn down the office building, that might be a little suspicious.

However, in the case of a dedicated journaling mailbox, tampering might go unnoticed for months or even years. Typically, no one actively reads each message as it arrives in the journaling mailbox, so tampering may not become evident until an administrator needs to pull the archives. Even then, if the hacker makes the fraudulent messages convincing enough, it may not be obvious that tampering has occurred.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Server (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.