This is good and very close, but I find outbound messages are not logged? have I missed something..
I find the messages 'pre SMTP format' in Mapi-Gateway Messages, but this does not show what the server actually sent to the destination.
Personal view, but I find Exchange 5.5's protocol logging and archival better and far easier to trace and diagnose what came in/went out. Yes I know there could be inprovements, like logging the IP address and noting the message archive file in the protocol log and perhaps even having a copy of the protocol session data at the top and bottom of each message archive file.
The IIS protocol log is a mess (again personal view).. can we go back to one logfile per session. and can we have the ability to FULLY log everything INCLUDING the message in the protocol log, so things are consistent and very easy to diagnose.
Oh and while I'm asking can we see exposure of the DNS MX lookup, that was performed to find the destination server, in the protocol log.
The sinks are a very good idea and provide the ability to do lots of good stuff (like global footers etc) but for diagnostics and LEGAL purposes we do need to be able to see an exact log of what the server actually sent and recieved. with sinks you can't be certain that another sink existed after/before the archive one that modified the message..
My thoughts as a techie is that an archive journal would not stand up in court as I would not be able to prove/disprove the existance of any other sinks.
In the UK we don't worry so much about Sarbanes-Oxley and HIPPA. What we do wory about is e-mail is a legal comunication method and a copy of the message send must be just that a copy of what was sent/recieved over the wire. I've put exchange 2003 in for some firms of solicitors here and we still have to feed everything through an Exchange 5.5 server as the logging and journal is accepted PROOF, but I'm told that everyones still arguing about 2000+ [This could be totally wrong by now though].