cancel
Showing results for 
Search instead for 
Did you mean: 

journal archive email format and dlp issue

We exported the email from jorunal archive from DA as pst then convert to eml which will be scanned by Symantec DLP Network monitor, howerver the incident created no email address only sender name or recipent name.

The quesiton is when EV archived the email, which format it archived? Does it include the address or only name? From DA, there is an option to enable show the email address. See this KB: http://www.symantec.com/docs/TECH166289

Thanks. 

1 Solution

Accepted Solutions
Accepted Solution!

I think it's the envelope

I think it's the envelope journaling that is the key here.  The message itself  (P2) is actually submitted using the sender/recipient cannonical name, and the hub transport server will add the SMTP address as it puts the message in its envelope (P1).  See MS for more detail on how envelope journaling works with internal addresses: http://msdn.microsoft.com/en-us/library/office/cc842372.aspx

  When EV stores the item in the archive, the P2 is stored since it is the actual message, and the information in the P1 is written to the index and  saveset metadata, and the P1 envelope is discarded.  When you perform a PST export, you are not recreating this envelope. You are just exporting the actual message, and the SMTP address is not written on the actual message.

FWIW if you enable the API then DA gets the sender/recipient address by going through the API to read the saveset metadata  but I believe that is just for review and not for exports. 

View solution in original post

10 Replies

Hello Pat , When EV archive

Hello Pat ,

When EV archive the email it never change any information including header information. That means for example in the To field of email contain the Email address then EV archive and in shortcut it display Email address. If To field contain Display Name then EV archive and in shortcut it display Display Name.

 

Hi Ajay,   So do you mean DA

Hi Ajay,

 

So do you mean DA display using the display name while EV index the item using message header?

 

Thanks. 

Yes ..... DA Display using

Yes ..... DA Display using Display Name that's why the Hotfix is mentioned in the TechNote. EV index the whole data.

Were the original items

Were the original items sourced from Exchange and collected by Envelope Journaling?

enveloope journaling. The

enveloope journaling. The items are from journal archives.

If enable the API option, where the DA got the sender address or recipient address.?

Accepted Solution!

I think it's the envelope

I think it's the envelope journaling that is the key here.  The message itself  (P2) is actually submitted using the sender/recipient cannonical name, and the hub transport server will add the SMTP address as it puts the message in its envelope (P1).  See MS for more detail on how envelope journaling works with internal addresses: http://msdn.microsoft.com/en-us/library/office/cc842372.aspx

  When EV stores the item in the archive, the P2 is stored since it is the actual message, and the information in the P1 is written to the index and  saveset metadata, and the P1 envelope is discarded.  When you perform a PST export, you are not recreating this envelope. You are just exporting the actual message, and the SMTP address is not written on the actual message.

FWIW if you enable the API then DA gets the sender/recipient address by going through the API to read the saveset metadata  but I believe that is just for review and not for exports. 

View solution in original post

Hi Pat. Any update on this

Hi Pat.

Any update on this issue.

 

I can see the SMTP address in

I can see the SMTP address in the email which exported as PST. Just the display name issue. Howerver is a pst file i got from POP3 mail account, the display name will show the name and email address. 

Hi, Do you have any updates

Hi,

Do you have any updates on this thread? Do you need more assistance regarding this topic? Please mark the post that best solves your problem as the answer to this thread.

 

can close this issue. thanks.

can close this issue. thanks.