http://blogs.technet.com/exchange/archive/2004/07/06/174188.aspxI have been asked this question several times. The short answer is that Archive Sink allows capturing emails that go through a specific SMTP virtual server. Journaling will capture every email that is sent and/or received by users that are hosted in aen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/exchange/archive/2004/07/06/174188.aspx#175154Wed, 07 Jul 2004 11:41:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:175154David R. HibbelnCompliance requirements - The issue is much larger then just Sarbanes-Oxley and HIPPA. <br> <br>The need of companies to be able to produce copies of e-mail when discovery happens in civil ligitgation is going to be more common place faster then most people think. <br> <br>Several changes in the procedures followed in various jurisdictions have all ready happened and this trend will acclerate. <br> <br>It is there responsiblity of the producing party (the one served with the discovery <br>motion) to supply the e-mails. This effects ANY business that has an e-mail server. <br> <br>There is a need for the ablity to be able to index, search and produce all the e-mails sent with in an organization based on the terms of the discovery order issued by the judge. <br> <br>This is NOT just a big company issue, it is all company with e-mail. <br> <br>Hopefully the Exchange Team is having some discussion with the computer forensic's / electronic discovery community about these issues. <br> <br>drh at hibbeln dot nethttp://blogs.technet.com/exchange/archive/2004/07/06/174188.aspx#180799Mon, 12 Jul 2004 16:34:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:180799Nick WadeGreat article Max, thank you. As David points out there are larger compliance considerations and we thank you for also pointing out your archiving partners who can assist in this space. Sidbar; there is an email forensics team internal to Microsoft somewhere and this group's opinion would be interesting. <br> <br>Onto a question I have - ArchiveSink is particular to Exchange Servers in that it relies on Event Sink stuff from Exchange. Is there a way (and I haven't done any R&amp;D, this just popped up at the right time) where an IIS SMTP Server can be made to drop a copy of all messages passing through to a disk queue for &quot;archiving&quot;? EML format would be suitable. Or perhaps another way of doing essentially what ArchiveSink does, but without Exchange involved? I'm thinking of SMTP gateway boxes where IIS alone is being used. <br> <br>Cheershttp://blogs.technet.com/exchange/archive/2004/07/06/174188.aspx#180801Mon, 12 Jul 2004 16:43:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:180801Nick WadeErrr - okay, now I feel like a fool for posting that question, the first bit of google-fishing (bring on the new MSN Search!!) I did brought up an older blog (<a target="_new" href="http://blogs.msdn.com/exchange/archive/2004/02/19/76432.aspx">http://blogs.msdn.com/exchange/archive/2004/02/19/76432.aspx</a>) from the Exchange team - which answers my question in a basic fashion at this point - but it does rely on the SMTP box being the endpoint for that email traffic. I'm also interested in mail passing through, rather than being at the end of it's travel... hence ArchiveSink-like functionality would be cool...I'm thinking the sink sample provided in the blog post I just referenced could be modded to do similar things? <br> <br>Cheershttp://blogs.technet.com/exchange/archive/2004/07/06/174188.aspx#185815Sat, 17 Jul 2004 01:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:185815David BarnesThis is good and very close, but I find outbound messages are not logged? have I missed something.. <br>I find the messages 'pre SMTP format' in \Mapi-Gateway Messages, but this does not show what the server actually sent to the destination. <br> <br>Personal view, but I find Exchange 5.5's protocol logging and archival better and far easier to trace and diagnose what came in/went out. Yes I know there could be inprovements, like logging the IP address and noting the message archive file in the protocol log and perhaps even having a copy of the protocol session data at the top and bottom of each message archive file. <br> <br>The IIS protocol log is a mess (again personal view).. can we go back to one logfile per session. and can we have the ability to FULLY log everything INCLUDING the message in the protocol log, so things are consistent and very easy to diagnose. <br>Oh and while I'm asking can we see exposure of the DNS MX lookup, that was performed to find the destination server, in the protocol log. <br> <br>The sinks are a very good idea and provide the ability to do lots of good stuff (like global footers etc) but for diagnostics and LEGAL purposes we do need to be able to see an exact log of what the server actually sent and recieved. with sinks you can't be certain that another sink existed after/before the archive one that modified the message.. <br>My thoughts as a techie is that an archive journal would not stand up in court as I would not be able to prove/disprove the existance of any other sinks. <br>In the UK we don't worry so much about Sarbanes-Oxley and HIPPA. What we do wory about is e-mail is a legal comunication method and a copy of the message send must be just that a copy of what was sent/recieved over the wire. I've put exchange 2003 in for some firms of solicitors here and we still have to feed everything through an Exchange 5.5 server as the logging and journal is accepted PROOF, but I'm told that everyones still arguing about 2000+ [This could be totally wrong by now though].