Video Screencast Help

journal archive email format and dlp issue

Created: 24 Jul 2013 • Updated: 09 Aug 2013 | 10 comments
patriot3w's picture
This issue has been solved. See solution.

We exported the email from jorunal archive from DA as pst then convert to eml which will be scanned by Symantec DLP Network monitor, howerver the incident created no email address only sender name or recipent name.

The quesiton is when EV archived the email, which format it archived? Does it include the address or only name? From DA, there is an option to enable show the email address. See this KB: http://www.symantec.com/docs/TECH166289

Thanks. 

Operating Systems:

Comments 10 CommentsJump to latest comment

EV_Ajay's picture

Hello Pat ,

When EV archive the email it never change any information including header information. That means for example in the To field of email contain the Email address then EV archive and in shortcut it display Email address. If To field contain Display Name then EV archive and in shortcut it display Display Name.

 

Thanks,

Ajay

patriot3w's picture

Hi Ajay,

 

So do you mean DA display using the display name while EV index the item using message header?

 

Thanks. 

EV_Ajay's picture

Yes ..... DA Display using Display Name that's why the Hotfix is mentioned in the TechNote. EV index the whole data.

Thanks,

Ajay

Patti Rodgers's picture

Were the original items sourced from Exchange and collected by Envelope Journaling?

patriot3w's picture

enveloope journaling. The items are from journal archives.

If enable the API option, where the DA got the sender address or recipient address.?

Patti Rodgers's picture

I think it's the envelope journaling that is the key here.  The message itself  (P2) is actually submitted using the sender/recipient cannonical name, and the hub transport server will add the SMTP address as it puts the message in its envelope (P1).  See MS for more detail on how envelope journaling works with internal addresses: http://msdn.microsoft.com/en-us/library/office/cc842372.aspx

  When EV stores the item in the archive, the P2 is stored since it is the actual message, and the information in the P1 is written to the index and  saveset metadata, and the P1 envelope is discarded.  When you perform a PST export, you are not recreating this envelope. You are just exporting the actual message, and the SMTP address is not written on the actual message.

FWIW if you enable the API then DA gets the sender/recipient address by going through the API to read the saveset metadata  but I believe that is just for review and not for exports. 

SOLUTION
EV_Ajay's picture

Hi Pat.

Any update on this issue.

 

Thanks,

Ajay

patriot3w's picture

I can see the SMTP address in the email which exported as PST. Just the display name issue. Howerver is a pst file i got from POP3 mail account, the display name will show the name and email address. 

EV_Ajay's picture

Hi,

Do you have any updates on this thread? Do you need more assistance regarding this topic? Please mark the post that best solves your problem as the answer to this thread.

 

Thanks,

Ajay