Message Tracking logs for secondary smtp address

Similar Messages

• Cannot locate client IP Addess in message tracking logs

  Hello
  Im having trouble with a client who has an Exchange 2010 environment. They wish to identify users (via their client IP addresses of their workstations) who may be sending a large number of emails.
  In this environment there are two CAS servers that are hardware load balanced.
  My client wishes to interrogate the Message tracking logs (I believe this is the right place) in order to identify the IP address of a client which sent the originating mails. However the message tracking logs returns only the address of the Load Balancer
  and not the client IP Address of the sending machine.
  Is this anyway this can resolved?
  Many thanks in advance

  Hi,
  Or we can use
  IIS Advanced Logging. Add field “X-Forwarded-For” to the Advance Logging configuration to find the real IP address of the client device. Here are steps.
  Install “Advanced Logging” on each CAS server: Double click on msi file. Check the accept checkbox and click, next, next and finish for the installation.
  Add field “X-Forwarded-For” to the Advance Logging configuration.
  From your Windows Server 2008 or Windows Server 2008 R2 device, open the Internet Information Services (IIS) Manager.
  From the Connections navigation pane, click the appropriate CAS or CHM server on which you are configuring Advanced Logging. The Home page appears in the main panel.
  From the Home page, under IIS, double-click Advanced Logging.
  From the Actions pane on the right, click Edit Logging Fields.
  From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:
  In the Field ID box, type X-Forwarded-For.
  From the Category list, select Default.
  From the Source Type list, select Request Header.
  In the Source Name box, type X-Forwarded-For.
  Click the OK button in the Add Logging Field box, and then click the OK button in the Edit Logging Fields box.
  Click a Log Definition to select it. By default, there is only one: %COMPUTERNAME%-Server. The log definition you select must have a status of Enabled.
  From the Actions pane on the right, click Edit Log Definition or right click and select Edit Log Definition.
  Click the Select Fields button, and then check the box for the X-Forwarded-For logging field.
  Click the OK button.
  From the Actions pane, click Apply.
  Click Return To Advanced Logging.
  In the Actions pane, click Enable Advanced Logging.
  Now, when you look at Inetpublogs, you will see a new AdvancedLogs folder will be available with new logs and these logs will have the client device IP address.
  Best Regards.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Lynn-Li
  TechNet Community Support

• Ironport Message Tracking Logs

  Hi,
  Am unable to post this in the Ironport Security section due to the restricted access on my Cisco support login ID.
  I need to export the message tracking logs for a particular user for the last one year (or the period for which logs are available) on Ironport M660.
  The GUI only reports 250 search results for every search and I have approx to export logs for approx. 20,000 messages.
  Is there a Unix/CLI command which can be executed to export all tracking logs between a time frame in Ironport?
  Thanks.

  This was a defect covered in the 8.5.6-093 release:
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_HP1_Release_Notes.pdf
  So, if running the -074 revision... found defect:
  https://tools.cisco.com/bugsearch/bug/CSCuq49620
  I wouldn't say that running repengupdate force is not suppose to be done, aside from a formal request... is odd to see or hear that would have been mentioned.  With the force updates for any of the processes on the ESA, this is usually always a good troubleshooting step for any customer --- as the process will instantly call out to the updater servers, compare manifests, and then pull regardless of what is running the latest engine and rules sets for the process... and then silently implement in the background.  While for the customers who might have bandwidth limiting options running on their network, the only major side effect is the package size that is coming across... since the engine is tagged into the rules... 
  But, normally with antivirus and antispam - this is the most helpful to run antivirusupdate force or antispamupdate ironport force.  Especially in times where the update process itself may have been interrupted with a network related hiccup or staled out download.
  -Robert

• Message tracking log of internal users who are all sent the mails to external domain

  Hi ,
  How can i get the message tracking log from internal users to external users?
  We need the report of internal users who are all sent the mails to the external domain
  Regards,
  Sankar M
  Sankar M http://messagingdevelopment.blogspot.in/

  Sankar, your outbound send connector has an address space of *. So when you run "Get-SendConnector", you will see something like the following:
  Identity                                AddressSpaces                          
  Enabled
  Unix System Connection                  {SMTP:*.domfreebusy.contractor.hunti... True
  Outgoing SMTP Connector                
  {SMTP:*;10}                             True
  Mailbox Journaling Connector            {SMTP:pdwastap01.huntington.com;1}      True
  The middle one with the {SMTP:*;10} in my case (you may have a different number than 10 in yours) is my outbound connector. So yours will show an address space of {SMTP:*;<some number, 10 is the default>}. HTH ...

• RecipientThreadLimitExceeded in message tracking logs, queuing and holding up local email delivery to office365

  Please let me know if anyone knows an answer to this one... We're in a Hybrid Exchange environment, with 2 x Exchange 2007 servers,  and 1 x Exchange 2013 Hybrid server which is pointing to Office 365 for the purposes of relaying mail to O365 while
  we migrate our users out there.
  We have just finished migrating, but just a couple of days ago we started experiencing delays in email delivery to O365... Not all mail, but some!  Incoming email or locally generated email gets relayed out through the Hybrid server and out to O365,
  but not all email is delayed... only some, but it's constant.  During the busiest part of the day, about 200 messages are sitting in the Queue in Exch2013... but they all eventually resolve between 5 and 45minutes.  The users are not happy.
  The last error in the queue viewer for each hung email reads:  451 4.4.0 Temporary server error.  Please try again later.
  If I look at the message tracking logs, I find an interesting item -- "RecipientThreadLimitExceeded":
  2014-05-15T14:15:51.608Z,192.168.3.11,hydra,207.46.163.215,company-mail-onmicrosoft-com.mail.protection.outlook.com,RecipientThreadLimitExceeded,Outbound to Office 365,SMTP,DEFER,10307921510617,<[email protected]>,885ea3ce-a020-41b1-8950-08d13e58d6d3,[email protected],451
  4.4.0 Temporary server error. Please try again later,10117,1,,,Read: This is your generic subject line,[email protected],[email protected],2014-05-15T14:16:51.608Z,Undefined,,,,S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel=EncryptionOnly;S:DeliveryPriority=Normal
  I have tried to find some documentation on resolution for this RecipientThreadLimitExceeded error, but I can only come up with some Exchange 2011 documentation which recommends adding some entries to the EdgeTransport.exe.config file to bump up the RecipientThreadLimit
  value... I have not found anything pertaining to 2013.  I cannot even find any powershell commands to see what the current RecipientThreadLimit is on 2013!  Aghg!
  Has anyone seen this before, or have any recommendations?
  Thank you,
  Mike

  After many days of frustration, Microsoft Support finally resolved this issue.  Believe it or not, but the issue was actually on the Office365 side.  Here's the fix:
  Exchange Admin Center -> Mail Flow -> Connectors -> Inbound Connectors
  Open your "Inbound from <guid>" with the "On-premises" connector type
  Click on Scope -> scroll down to "Associated accepted domains"
  We had an entry in there "<organization>.mail.onmicrosoft.com"... Microsoft support had us remove this entry so that the box was completely empty.
  That RESOLVED it... amazing what what little entry could do.  We've had this entry in there for about 2 months, and it had been working fine.  Support acknowledged that several customers have had this issue, that they are working on getting it
  fixed on the back-end.
  Hope this helps somebody... 
  -Mike

• Is there throttling going on here? Constantly queued emails on Hybrid Exch 2013 server with error RecipientThreadLimitExceeded in message tracking logs...

  Please let me know if anyone knows an answer to this one... We're in a Hybrid Exchange environment, with 2 x Exchange 2007 servers,  and 1 x Exchange 2013 Hybrid server which is pointing to Office 365 for the purposes of relaying mail to O365 while we
  migrate our users out there.
  We have just finished migrating, but just a couple of days ago we started experiencing delays in email delivery to O365... Not all mail, but some!  Incoming email or locally generated email gets relayed out through the Hybrid server and out to O365, but
  not all email is delayed... only some, but it's constant.  During the busiest part of the day, about 200 messages are sitting in the Queue in Exch2013... but they all eventually resolve between 5 and 45minutes.  The users are not happy.
  The last error in the queue viewer for each hung email reads:  451 4.4.0 Temporary server error.  Please try again later.
  If I look at the message tracking logs, I find an interesting item -- "RecipientThreadLimitExceeded":
  2014-05-15T14:15:51.608Z,192.168.3.11,hydra,207.46.163.215,company-mail-onmicrosoft-com.mail.protection.outlook.com,RecipientThreadLimitExceeded,Outbound
  to Office 365,SMTP,DEFER,10307921510617,<[email protected]>,885ea3ce-a020-41b1-8950-08d13e58d6d3,[email protected],451
  4.4.0 Temporary server error. Please try again later,10117,1,,,Read: This is your generic subject line,[email protected],[email protected],2014-05-15T14:16:51.608Z,Undefined,,,,S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel=EncryptionOnly;S:DeliveryPriority=Normal
  I have tried to find some documentation on resolution for this RecipientThreadLimitExceeded error, but I can only come up with some Exchange 2011 documentation which recommends adding some entries to the EdgeTransport.exe.config file to bump up the RecipientThreadLimit
  value... I have not found anything pertaining to 2013.  I cannot even find any powershell commands to see what the current RecipientThreadLimit is on 2013!  Aghg!
  Has anyone seen this before, or have any recommendations?
  Thank you,
  Mike

  After many days of frustration, Microsoft Support finally resolved this issue.  Believe it or not, but the issue was actually on the Office365 side.  Here's the fix:
  Exchange Admin Center -> Mail Flow -> Connectors -> Inbound Connectors
  Open your "Inbound from <guid>" with the "On-premises" connector type
  Click on Scope -> scroll down to "Associated accepted domains"
  We had an entry in there "<organization>.mail.onmicrosoft.com"... Microsoft support had us remove this entry so that the box was completely empty.
  That RESOLVED it... amazing what what little entry could do.  We've had this entry in there for about 2 months, and it had been working fine.  Support acknowledged that several customers have had this issue, that they are working on getting it fixed
  on the back-end.
  Hope this helps somebody... 
  -Mike

• Mail users have spam sent to their secondary SMTP addresses forwarded to their personal e-mail addresses- Exchange 2010

  We currently have a spam issue relating to the secondary SMTP e-mail addresses of all our Mail Users.
  Example: Peter Smith has an AD account on our company.com domain and an associated external e-mail address ([email protected]) i.e. he has an AD account ([email protected]) with Mail User Exchange attributes so that he can logon
  to our SharePoint server. However, this AD account also becomes a fully functional secondary SMTP address and all spam sent to [email protected] also gets forwarded to [email protected]
  To mitigate this issue, I have added this secondary e-mail address to the "Recipient filtering properties > Block messages sent to the following recipients" in Hub Transport/Anti Spam.
  Two questions:
  1. Is there an easy way to delete the secondary SMTP addresses of mail users? I was unable to (it just reappeared shortly after deletion)
  2. What is the PS command to export a list of all secondary SMTP e-mail addresses OF MAIL USERS and then adding this list to "Recipient filtering properties > Block messages sent to the following recipients". I could manually add them
  in EMC but there are quite a few of them...
  Many thanks for your help!

  Now that I understand what's happening, let me see if we can get a more accurate solution for you.  So your mail users (Exchange calls them mail-enabled users, as opposed to mailbox enabled users, who have mailboxes) have SharePoint access (with the
  @company.com address), but have actual mailboxes externally (the actual end-domain is inconsequential).  You want users of these systems to stop receiving emails on the company.com namespace, but to receive them from only your SharePoint system. 
  A "textual diagram" is below:
  SharePoint (to Exchange mailbox owner) ==> Exchange hub (using company.com) ==> Exchange mailbox
  SharePoint (to External mail user) ==> Exchange hub (using company.com) ==> Exchange mail contact ==> External system (using external SMTP address
  External Messaging system (to External mail user, using company.com address used by SharePoint) ==> Exchange hub =XX=> Block delivery
  You wish to stop the third of these from happening.  If your SharePoint system used non-routable addresses (such as company.local) and all of your mail users had only these addresses added to their accounts for internal mail precossing (as the
  internal name used by Exchange), this would solve your issue.  The question becomes how to deploy this sort of address. 
  If these are the ONLY mail contacts in your organization, the solution is simple - you almost had it above, but may have missed seeing it.  Policies are applied on a priority basis, with the default policy applying only if no others apply.  Since
  these accounts are considered "Contacts with external e-mail addresses", you can create a policy for your entire organization that handles only these accounts.  You don't need to apply it to a single OU, if your mail enabled accounts aren't
  in a single OU.  (If they are, of course, feel free to apply it only there.)  You can create the policy and apply it to the organization, but only to those objects that are "Contacts with external e-mail addresses".  That way, it won't
  affect any of your Exchange mailboxes (current or future).
  Does this help?
  (BTW, one minor correction - your third statement about mail contacts is incorrect - Exchange sees no major difference between mail contacts and mail enabled accounts - and in my experience they are both addressable by the internal address.)

• Exchange Server 2010 - Message Tracking Logs - Log file creation

  Hi,
  I would like to find out on the behavior of the exchange server in the way that it logs the message tracking.
  Currently the parameter used is 
  MessageTrackingLogMaxDirectorySize - 10GBMessageTrackingLogMaxAge - 30daysI would like to check when the Max Directory Size has exceeded the value indicated, does Exchange server immediately deletes the oldest log file to make space for the new logs?And in the event that the oldest file is being open or locked, will exchange server delete the next oldest file? or it will reattempt to delete the "locked" file for a period of time?Lastly, when these "oldest" files is not able to be deleted, will exchange server stops logging new tracking events?Thanks!

  Hi Zack,
  Thank you for your question.
  If you have configured the parameter of “MessageTrackingLogMaxDirectorySize” and “MessageTrackingLogMaxAge”, we think you have enable circular logging, it will delete the oldest message tracking log files for new log file when the either of the following
  conditions is true:
  The message tracking log directory reaches its specified maximum size.
  A message tracking log file reaches its specified maximum age.
  In addition, it didn’t exceeded the value indicated.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Message tracking log - time period

  Hi,
  How long are message tracking logs keeped on appliance?
  How can i control message tracking logs.
  Lots of HDD space available and I want 3 months of available Message Tracking logs.
  When are Message traking logs deleted from the appliance?

  Message tracking is based on the drive space available on the ESA appliance.
  It is not possible to configure the # of days for retention of message tracking data. The set HDD storage allocation for message tracking data is limited. HDD storage allocation is set based on the hardware:
  C1X0: 10G
  C3X0: 20G
  C6X0: 50G
  X10X0: 50G
  Your best solution in order to store mail logs/message tracking - would be to also have configured to store the mail_logs off to a syslog server --- that way you can determine the full extent/length of the retention period.  (And also allows you to search/manipulate all mail_logs with a little easier access that may be available on the ESA.)
  Hope that helps!
  -Robert

• More Info Needed in Message Tracking Logs in Exchnage 2010 MAILBOX

  Hello All
  I would like to understand more on message tracking which was little bit confused for me 2 days back.
  As far as i can know, HUB SERVER is  the main part of the messaging tracking is playing  vital role in Exchange 2010.
  also, mailbox roles too...
  i can see the message tracking logs created in mailbox is only usefull , for  web interface for message tracking is part of the Exchange Control Panel and provides very basic search
  functionality to search for messages either sent by or received by a mailbox, based on the sender, recipients, and subject line.  
  so message tracking logs which is available in mailbox is only user for end users who can perform the message tracking by themself vua ECP without installing EMC. -- AM I RIGHT  
  How will message tracking logs created in mailbox servers .......... will it replicate from HUB servers?  
  so if i have 4 mailbox servers, will all the mailbox servers having the same message tracking logs? or we may get different
  Your information is much valuable to better understand on MT

  Hi Rush,
  Please checkout this technet blog available at below link which clarify your concern in depth:
  http://blogs.technet.com/b/messaging_with_communications/archive/2011/04/22/how-to-track-message-in-exchange-2003-2007-2010.aspx
  http://exchangeserverpro.com/exchange-2010-message-tracking/
  However, a helpful resource you can checkout at here(http://www.exchangereports.net/) which comes with similar features while need to track mailboxes(sent/received emails), server traffic reports or folder reports in exchange server. It facilitates to produce
  the reports in various format which suits better in our environment.

• Will Exchange ever support sending mail from a secondary smtp address?

  Most here probably know this but a quick recap:
  User has PrimarySMTP address of [email protected] and secondary SMTP of
  [email protected] In Outlook, if you set the secondary SMTP address in the "From" field, Exchange will throw an "undeliverable" error stating you're not authorized to send mail as
  this user. I know there's
  3rd party tools that can help you with this, and ways to circumvent this (using extra accounts or distrigroups) but it's actually really annoying. I've been involved with a lot of companies with different brands (and a domain for each brand) and
  who want to communicate with the outside world using these different brandnames. One salesmanager could be involved with different brands and right now you'll have to create a new account or group for each and every brand/domainname.
  With every new Exchange one of the first things I check if this behaviour has changed.. Will this ever be implemented? Is there anyone here that could shed some light on that? Is there a reason why this does not change?
  Kind regards,
  Remco Roxs

  Nobody who participates in these forums knows what the future holds at Microsoft.  If we did, we wouldn't be able to share it with you in any case because we'd be sworn to secrecy.
  Just buy this for your sales manager: http://www.ivasoft.biz/choosefrom2007.shtml
  Or just tell him to use two mailboxes.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2010 Message Tracking Logs and Calendar appointments

  A little context here...  We consume our message tracking logs with splunk so I can easily search and locate entries as needed.  I have an alert that generates an email when specific calendars accept a meeting request.
  I can pull the meeting title and specific calendar name, but the problem I am having is determining when the "meeting" is scheduled.  The data in the tracking logs shows me that the meeting was accepted today, but the actual meeting may not
  be for a week or more in the future.
  Is there any data in the tracking logs that can be translated to show the actual date of the meeting?
  Here is an example sanitized meeting request and acceptance
  REQUEST:
  2014-05-29T18:44:29.183Z,fe80::xxx,xxx,,xxx,"MDB:xxxx,
  Mailbox:xxxx,
  Event:92395630, MessageClass:IPM.Schedule.Meeting.Request,
  CreationTime:2014-05-29T18:44:28.762Z,
  ClientType:MOMT",,STOREDRIVER,SUBMIT,,<[email protected]>,,,,,,,Leaving
  Early,[email protected],,2014-05-29T18:44:28.762Z;LSRV=xxx.com:TOTAL=0,,,,,S:ItemEntryId=00-00-00-00-72-F7-4F-55-9A-2E-40-4C-93-52-BC-B4-7A-79-0D-92-07-00-40-1B-2D-18-F9-4B-C3-40-84-81-FF-EA-46-AC-E3-0D-00-00-00-00-00-09-00-00-40-1B-2D-18-F9-4B-C3-40-84-81-FF-EA-46-AC-E3-0D-00-00-09-95-6F-D7-00-00
  RESPONSE
  2014-05-29T18:44:31.211Z,fe80::xxx,xxx,,xxx,"MDB:xxx,
  Mailbox:xxx,
  Event:47712341, MessageClass:IPM.Schedule.Meeting.Resp.Pos,
  CreationTime:2014-05-29T18:44:30.353Z,
  ClientType:EventBasedAssistants",,STOREDRIVER,SUBMIT,,<[email protected]>,,,,,,,Accepted:
  Leaving Early,[email protected],,2014-05-29T18:44:30.353Z;LSRV=xxx.com:TOTAL=0,,,,,S:ItemEntryId=00-00-00-00-F2-AF-A9-28-DA-90-61-43-92-18-C5-86-08-7C-FE-1C-07-00-66-37-7F-D0-4D-82-73-48-8B-E2-10-A1-0B-58-DF-77-00-00-00-A5-FF-57-00-00-66-37-7F-D0-4D-82-73-48-8B-E2-10-A1-0B-58-DF-77-00-00-00-A6-31-9A-00-00

  Actual date of the meeting wouldn't be there in the message tracking log. As name says its tracking log for the message in transit, not the content information :) 
  Actual meeting date/time should be inside the meeting message under one of the message property which you can look by opening meeting in outlook or via MFCMapi if you want.
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Query Archived Message Tracking Logs

  Hi,
  How can we query archived message tracking logs restored from backup from EMS?
  Regards,
  Irfan
  Irfan Goolab SALES ENGINEER (Microsoft UC) MCP, MCSA, MCTS, MCITP, MCT

  Hi Irfan,
  I am a little confused, could you please describe your requirements in more detail ?
  If you want to restore a message , you can use "Search-Mailbox" cmdlt to find and recover it;
  More details for your reference:
  https://technet.microsoft.com/en-us/library/ff660637(v=exchg.150).aspx
  Best regards, 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Niko Cheng
  TechNet Community Support

• Definition of timestamp field in the message tracking log

  Hi,
  anyone can help me with the exact definition of timestamp field that I retrieve in the messagetracking log?
  I think that is the exact time by which the exchange server receive a mail and start to elaborate it
  Can you confirm please
  Thank you very much
  Luca Pozzoli

  Hi ,
  Please have a look in to the below mentioned points .
  Anyone can help me with the exact definition of timestamp field that I retrieve in the messagetracking
  log?
  Time stamp in exchange will help us identity at when and what time the message has been received and processed
  from source server to destination server.
  With the help of time stamps we can able to identify the message delay between the hops .
  As an additional info you can review the time stamps in message headers as well on the message tracking logs.
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Attachment Name of emails from Message Tracking Logs

  Hi,
  I have been able to get NDR from message tracking logs in Exchange 2010 using Exchange Management Shell. Is it possible to include the file name of the attactment of the emails from the report generated?
  Regards,
  Emansky
  All the best, Eman Lacuata

  Hi,
  No that is not possible. 
  Message tracking will never include names of attachments.
  Martina Miskovic - http://www.nic2012.com/
  Agree.
  Refer to:
  Managing Message Tracking
  http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx
  Note: Content specific to Exchange 2010 SP1 will be available at a later date.   
  Best Regards Fiona Liao E: [email protected]