SecureStore will archive email messages that pass through the Mailprotector perimeter. (Outbound connectors must be configured to relay email through Mailprotector's smart host.) However, internal messages on Exchange Online will not be routed outside the Exchange environment. Therefore, creating a journaling rule in Exchange Online is necessary to journal messages between intra-domain users.
SecureStore archiving, Exchange Online, Microsoft 365, Office 365, M365, O365
IMPORTANT: The screenshots provided in this article may be slightly different. Microsoft continues to modify the Microsoft Office 365 and Exchange Online Admin Centers. If you need help with the configuration, please get in touch with the Partner Success team.
Please go to Configure SecureStore Journaling with Exchange 2013/2016 for on-premise or virtually hosted Exchange servers.
This article assumes you have already enabled SecureStore in the Mailprotector Console for the intended domain. If you have not enabled SecureStore in the Console, you will not have the journaling address needed to complete the journal rule configuration steps.
We recommend you have both the Mailprotector Console and the Exchange Admin Center open to complete the required steps.
Summary of Required Information
- Unique journaling address from the Mailprotector Console.
- An alternate email address for journaling non-delivery reports. This address should be something your support team monitors for problems.
- Access to the Exchange Admin Center for your client's domain.
1. Obtain the Journaling Address
1a. How to Find the Address in the Mailprotector Console
- Navigate to the Mailprotector Console at emailservice.io
- Navigate to the domain you are working on in the Console
- Select the "Archiving" tab
- The Journaling Address will be at the bottom of the page for you to utilize
The SMTP Collector/Journaling Address is the unique mailbox assigned to the domain to capture messages for archiving. The address will be required later to configure the journal rule on the Exchange server or O365 tenant.
2. Configure the Journaling Connector
2a. Add Connector for Journaled Emails
The connector for journaled emails prevents journaling from using the Mailprotector smart host. Journaled messages should not be filtered.
The following steps are performed from the Exchange Admin Center (EAC). If you need help accessing the EAC in 365, please get in touch with your team's Exchange expert.
|On the Exchange Admin Center page, navigate to Mail Flow --> Connectors.|
|Click the Add a connector link on the Connectors page.|
|Select Office 365 as the connection from and Partner organization as the connection to.|
|Create a name for the new connector, such as SecureStore Connector. The description can be left blank or used to document the connector's purpose.|
Select Only when email messages are sent to these domains.
The domain to add is:
Select Routing email through these smart hosts.
The host to add is:
|Use the default settings for security restrictions.|
|Add the journaling address from Step 1a to validate the connector.|
2b. Configure Journaling Rule
After creating the connector for journaled messages, add the journaling rule to Exchange Online. The rule is designed to journal internal emails only. Email coming from or going to the internet is journaled automatically by Mailprotector.
|Go to the Compliance Admin Center.|
|In the Compliance Admin Center (Microsoft Purview), click on Exchange (legacy) under the Data lifecycle management menu.|
|Click on Journal rules and then New rule to begin the creation of the journaling rule.|
Add the journaling address from Step 1a to the Send journal reports to field.
Select Everyone for Journal messages sent or received from, and Internal messages only for Type of message to journal.
Modify the Journal rule name if desired, for example:
|Click the Submit button on the review rule page.|
3. (Optional) Prevent winmail.dat Type Messages from Being Archived
Unfortunately, email encoding can cause winmail.dat files to be attached to emails despite an administrator's best efforts to configure the server and clients to use HTML or plain text messaging. Configuring a mail flow rule for the remote domain to the SecureStore archive can prevent the archiving of winmail.dat attachments.
BEST PRACTICE: We recommend configuring this mail flow rule to prevent the winmail.dat file, especially with messages sent from your client's organization, and include both an internal and external recipient. That type of message is the most likely to create winmail.dat attachments.
From the Exchange Admin Center (EAC) -
|Click on Remote domains from the Mail flow menu.|
|Click on Add a remote domain on the Remote domains page.|
Give the remote domain a descriptive Name such as:
The Remote domain is:
|Select None for Out of Office automatic reply types, and leave the Automatic replies default as checked.|
|The Message reporting default options are correct.|
|Select Never for Use rich-text format, and leave None as the default option for both Supported Character Sets.|
|Click the Save button on the Review page to complete the configuration.|
This completes the journaling configuration to SecureStore from your Microsoft Office 365 tenant.
NOTE: Propagation of the new settings could take an hour or more to filter through Microsoft 365 services. The exact timeframes are unknown to Mailprotector.
If you have more questions about configuring the journaling rule in 365 or find errors with this knowledge base article, please contact the Partner Success team.