12-03-2020 05:39 AM
12-03-2020 05:39 AM
I got an interesting question in a hard case. We are just helping a customer who had a cyber security incident some months ago. In the time where the Exchange servers have not been accessible all emails have been queued by an external service provider.
Afterwards the email traffic had been opened so that the Exchange Edge servers could distribute the emails again. But unfortunately two frontends in different locations were not up and running. So a big bunch of emails have not been provided and purged after the default period of 2 days. During the stressed situation it looked like the customer is willing to disclaim these emails.
But now the emails shall be restored.
My idea was to restore the Edge Server from a specific date from the backup in an isolated VLAN. This worked so far, but we are not able to time travel, so by starting the services all emails get purged immediately.
So I started the machine sin safe mode, renamed the mail.que and restarted the machine. All services came up besides from the transport service. Interestingly I am able execute Set-TransportService -MessageExpirationTimeout anyway. Unfortunately the max range is 90 days and soon I would need to set it to 180 days.
Have you got any other ideas?
Is there a possibility to export messages directly from the mail.que file?
I already thought about (virtual) time travel regarding time manipulation of the VM, but this is only possible if you sync the time from the host. As there are several hundred other VMs, we would have to create a new host with no further machines on it.
I'm looking forward to talk about your ideas.
12-03-2020 05:57 AM
Are you sure you need to export the queue ? if the relevant messages were sent from mailboxes, you could do a content search instead.
12-04-2020 03:06 AM - edited 12-04-2020 03:08 AMSolution
At least I could figure it out myself. It was a combination of VMware and disabling all NTP services. I have disabled the EXSI time sync for the single machines. In Windows safe mode I was able to disable all NTP possibilities and rename the mail.que
This is marked as faulty move, but this is not important for the operation. After starting Windows in regular mode the transport service did not come up, what is great for our purpose. And the most important thing here is, although the transport service is not up and running in this situation you are allowed to execute changes with Set-TransportService.
So I executed...
Set-TransportService -Identity Edge01 -MessageExpirationTimeout 90.00:00:00
... renamed the backup.que back to mail.que and started the transport service. As the server now believed in time travel, no messages have been purged.
For erveryone who reads this and wants to know how to export messages...
Export messages from queues