Thoughts on What is Journaled and What is not in Exchange 2003/2007/2010
Whether read receipts, delivery receipts, moderation requests/acceptances, OOF messages, and admin audit messages are journaled depends are certain factors.
These factors are
1. Which database is being journaled.
2. Recipient or sender being journaled.
3. Which version of exchange (2003 or 2007/2010).
4. Which type of report- DR,OOF,RR,etc.
Below is a guideline on what to expect from a journaling perspective-
Read Receipts and OOF messages-
These messages are generated by the recipient mailbox (the mailbox which is being requested for a read receipts or the mailbox setup for OOF).
Thus as can be expected if the recipient and/or sender is journaled then we will have a journal report for these types of messages.
Delivery Receipts/Reports-
Delivery receipts are generated by the receiving server and depending on the version of exchange will come from the postmaster address or the special Microsoft Exchange Recipient account.
In Exchange 2003 the account used to install Exchange (typically the administrator) will be stamped with a secondary proxy of <“postmaster@authoritativedomain>”. It is this account that is used to send delivery receipts. Thus if the sender (requestor) of a delivery receipt request is not journaled and the administrator account is also on a non-journaled DB, a journal report for a delivery receipt will not be created. Either the sender or the administrator account (postmaster) must be enabled for journaling.
In Exchange 2007/2010 this has changed as delivery receipts come from the special Microsoft Exchange Recipient account. This is a special account with no mailbox and as such cannot be journaled. Thus if the sender of a delivery receipt request is not journaled a journal report of a delivery receipt will not be present on Exchange 2007/2010.
On how to create a maibox for this special account see this article-https://technet.microsoft.com/en-us/library/bb430759.aspx
Moderation Requests/Acceptances-
Moderation messages are special messages sent to a designated group moderator for approval to send messages to that group. This is a feature specific to Exchange 2010.
The initial moderation request to send to a DL is generated by the special Arbitration mailbox and sent to the moderator.
Thus if the Arbitration mailbox and moderator are not a journaled database a journal report will not be generated. At least one of the above two need to be journaled for a journal record of the initial request.
A moderation approval message is sent from the moderator to the Arbitration mailbox so the above applies for these types of message as well.
You can read more about moderation here-
https://technet.microsoft.com/en-us/library/dd297936.aspx
Admin Audit Messages-
Admin Audit mailbox is used for auditing cmdlets in Exchange 2010.
In the RTM version of 2010 you can specify an audit mailbox. In sp1 you cannot and the arbritation mailbox is used. This cannot be changed.
Either version admin audit messages are NEVER journaled regardless of the account being audited.
This is “by design”.
You can read more about admin auditing here-
RTM- https://technet.microsoft.com/en-us/library/dd335052(EXCHG.140).aspx
SP1- https://technet.microsoft.com/en-us/library/dd335052.aspx
Finally while we are on the subject of what is journaled and what is not let me pause here to mention that journaling to a DL (i.e. using a distribution group as a journal recipient) is not supported for Exchange 2003.
A while back I wrote a kb on the topic which you can read here- https://support.microsoft.com/kb/2458386
However with the move of store driver and content conversion from store to transport in Exchange 2007/2010 this is now possible in those versions of Exchange.
Hope this was helpful to you compliance minded readers.
Till next time.