Recommendations for the Exchange Mailbox Agent ContentStore Mailbox

To create an efficient SMTP journaling process, consider the following recommendations.

• Schedule archive jobs to run every 4 hours and cleanup jobs to run every 8 hours.

• For archive and cleanup jobs, allocate 5 streams per access node. Increase number of streams when you add additional access nodes.

• Schedule content indexing jobs to run continuously with 10 minutes interval.

• To avoid creating duplicate journal reports, create only one journal contact for the entire organization.

• For high-availability and load balancing, configure at least two ContentStore Mail Servers (SMTP).

• You perform some configurations for the ContentStore Mail Server (SMTP) through a Web application called the ContentStore Mail Server (SMTP) dashboard. You can access the dashboard using the Google Chrome Web browser.

• To achieve load balancing and fault tolerance, deploy one Send connector with multiple smart hosts (that is, the ContentStore Mail Servers (SMTP)).

• If you have multiple ContentStore Mail Servers (SMTP), and you must perform maintenance on them, do so one server at a time so that the remaining servers can continue to receive messages. Do not disable all the servers at the same time.

• To prevent the server from becoming overloaded, monitor the system resources by doing the following:

  • Configure alerts to monitor the Exchange queue.

  • Make sure that there is enough free space left on the Exchange server queue database drives.

  For more information, consult Microsoft documentation. For example, see the article on the Microsoft TechNet site that corresponds with your version of Exchange.

  • Exchange 2010, 2013, and 2016: "Understanding back pressure", https://technet.microsoft.com/en-us/library/bb201658.aspx#Information

  • Exchange 2007: "Understanding Back Pressure", https://technet.microsoft.com/en-us/library/bb201658(v=exchg.80).aspx

• To prevent the loss of journaling reports, create an alternate journaling mailbox. If the journaling mailbox becomes unavailable, the alternate journal mailbox receives the journal reports until the journaling mailbox is available again. If you have an Office 365 with Exchange environment, creating an alternate journal mailbox is mandatory.

  For more information, consult Microsoft documentation. For example, see the article on the Microsoft TechNet site that corresponds with your version of Exchange.

  • Office 365 with Exchange Online: "Configure Journaling in Exchange Online", https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/configure-journaling

  • Exchange 2016: "Journaling in Exchange 2016", https://technet.microsoft.com/en-us/library/aa998649(v=exchg.160).aspx

  • Exchange 2013: "Journaling", https://technet.microsoft.com/en-us/library/aa998649(v=exchg.150).aspx

  • Exchange 2010: "Configure or Remove an Alternate Journaling Mailbox", https://technet.microsoft.com/en-us/library/bb201717

  • Exchange 2007: "How to Configure an Alternate Journaling Mailbox", https://technet.microsoft.com/en-us/library/bb201717(v=exchg.80)

• Upload a Secure Sockets Layer (SSL) certificate and encrypt communications when you configure the ContentStore Mail Server (SMTP).

• Configure the Web end point - Offline alert on each client where the ContentStore Mail Servers (SMTP) role is enabled. This alert lets you know if the ContentStore mail services become unavailable. For more information, see the list of predefined alerts.

  Note

  By default, the Web end point - Offline alert is disabled.

• Enable TLS 1.2 on all the SMTP access nodes by completing the following steps:

  1. Enable TLS 1.2

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
             
         

     1. Enable strong cryptography in .NET Framework 4.5 or higher

        Using TLS 1.1 and TLS 1.2 with Office Online Server requires strong cryptography in .NET Framework 4.5 or higher. To enable strong cryptography in .NET Framework 4.5 or higher, add the following registry keys:

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
                
            

  2. Disable TLS 1.1

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
             
         

  3. Disable TLS 1.0

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
             
         

     The "DisabledByDefault" keyword refers to the default state of the TLS Version where 1 signifies that it is disabled by default and 0 signifies that it is not disabled.

     The "Enabled" keyword refers to whether or not the TLS version is enabled where 1 signifies that it is enabled and 0 signifies that it is disabled.

  4. Restart the server.