Microsoft 365  (i.e. Office 365)
 

MailArchiva brings advanced e-Discovery capabilities to Microsoft Office 365. Full email journaling, calendar, contact, and folder synchronization are available.

 

MailArchiva Cloud setup - Easy setup instructions for the MailArchiva Cloud
MailArchiva On-Premise setup - Office 365 integration for MailArchiva On-Premise (advanced)

 

 

MailArchiva Cloud setup

 

Visit https://office365.archiva.com (USA) or https://office365.mailarchiva.eu (EU) and signup to the MailArchiva Cloud.

 

After signup, create a journal rule as described below.

 

Create a journal rule

 

This step involves configuring Office 365 to forward journaling traffic to the MailArchiva Cloud SMTP server.
 

From within the Exchange Admin Center:
 

  1. Visit Microsoft Purview
  2. In the Admin section on the left, click Exchange
  3. Select Data lifecycle management from the left menu, then Exchange
  4. Select Journal Rules from the sub menu at the top right
  5. If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent.
  6. Press "+" to create a new journal rule
  7. In Send Journal Reports To field, enter:
     if registered on USA (archiva.com) site:  [value of journal recipient field in MailArchiva Web Console->System Status]@archive.archiva.com (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.archiva.com)
     if registered on EU (mailarchiva.eu) site:  [value of journal recipient field in MailArchiva Web Console->System Status]@archive.mailarchiva.eu (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.mailarchiva.eu)
  8. In Name field, enter "archiva"
  9. In the "If the message is sent to or received from.." field, select "Apply to All Messages"
  10. In "Journal the following messages.." select "All messages"
  11. Click Save.

Create a dedicated send connector


To ensure that your mail security solution doesn't inadvertently block journal emails sent to MailArchiva, it is prudent to create a dedicated send connector as per instructions below.

 

  1. Visit https://admin.exchange.microsoft.com using a web browser. Login to Microsoft 365 (as necessary).
  2. Click Mail flow on the left menu, then Connectors in the sub-menu.
  3. Click + to add a connector.
  4. In 'Connection from', select Office 365. In 'Connection to', select 'Partner organization'. Click Next.
  5. In Name, enter MailArchiva. Leave Turn It On checked
  6. Select 'Only when messages are sent to these domains'. Enter archive.archiva.com, then click +. Enter archive.mailarchiva.eu, then click +. Click Next.
  7. Select 'Use the MX record associated with partner's domain', click Next.
  8. Select 'Always use Transport Layer Security (TLS) to secure the connection'.
  9. Select 'Issued by a trusted certificate authority (CA)', Click Next
  10.  In validation email, enter either archive@archive.archiva.com (for USA site) or archive@archive.mailarchiva.eu (for EU site), click +, then click Validate button.
  11. Login to MailArchiva's search interface and verify that the test email has arrived. Click Next.
  12. Click Create connector.
  13. Click Done.

 

After the above steps are completed, MailArchiva should begin receiving journaling traffic. Click Search to see the email appearing in the search results.

 

MailArchiva Cloud offers a 30-day free trial, after which, if you wish to continue your use of the service, it is necessary to purchase a subscription.

 

 

MailArchiva On-Premise setup
 

Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.

 

Step A. Install a digital certificate

 

Office 365 journaling may not work over an insecure connection; the use of SMTP/TLS may be required. Furthermore, Azure authentication requires a callback URL that uses HTTPS.

 

1. Follow the Secure Access steps to install a certificate and enable HTTPS

 

Step B. Port forward


Create a rule on your firewall to forward incoming requests on a public IP on port 25 to MailArchiva listening on your internal network. 


Step C. Create DNS record
 

Edit your company's DNS settings. Create an A record for MailArchiva in a domain, so that, for example, mailarchiva.company.com points to the external IP address referenced in Step 1.


Step D. Create an SMTP listener
 

  1. In the MailArchiva Console, Click Configuration->Listeners
  2. Select SMTP Listener in the dropdown and then click the New Listener button.
  3. Check "Listen for incoming Exchange/SMTP requests"
  4. Set the SMTP port as 25
  5. Set certificate authentication to MailArchiva certificate store. Click Save

 

Step E. Create a journal rule
 

This step involves configuring Office 365 to forward journaling traffic to MailArchiva On Premise.

 

From within the Exchange Admin Center:

 

  1. Visit Office 365 Portal and click Admin
  2. In the Admin section on the left, click Exchange
  3. Select Compliance Management from the left menu
  4. Select Journal Rules from the sub menu at the top right
  5. If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent
  6. Press "+" to create a new journal rule
  7. In "Send Journal Reports To" field, enter archive@company.archiva.com (where company.archiva.com is the fully qualified domain name of the MailArchiva server [not an email address] created in Step 2 above.)
  8. In "Name" field, enter "archiva".
  9. In "If the message is sent to or received from.." field, select "Apply to All Messages"
  10. In "Journal the following messages.." select "All messages". Click Save

At this stage, MailArchiva should receive journaling traffic.  Send an internal test message, and examine the charts in Status->Charts to see incoming traffic appearing.

 

To prevent the SMTP listener created in Step D. Create An SMTP Listener above from being abused by spam bots, it is a good idea to configure the listener such that it will only respond to recipients addressed in Step 7 above. In the Listener config above, click Advanced. In RCPT TO Filter Address, enter the email address specified in step 7 above (e.g.  archive@company.archiva.com).

 

Optional MailArchiva On-Premise setup steps

 

Step F. Create MailArchiva application (optional)


This optional step involves creating and configuring a MailArchiva application in Azure. This application is needed to setup Azure authentication as it authorizes MailArchiva to access Azure's API.

 

  1. Log in to your Office 365 Admin Center as an administrator.
  2. Access the Azure Portal, then Azure Active Directory.
  3. Click App Registrations, then "+" to create a New Application registration

  4. Enter the name of the application (e.g. MailArchiva)

  5. Select Accounts in this organizational directory only (.. Single tenant)
  6. Select Web as application type

  7. Type the equivalent of "http://localhost:8090/authorize.do" in the Reply URI (e.g. Replace localhost with the desired FQDN. e.g. https://mailarchiva.company.com/authorize.do)

Note: The Microsoft Azure Portal will not accept if the above URL is pasted from the clipboard. It is necessary to manually type the URL.
  1. Click Register

  2. Select the newly created app

  3. Click Api Permissions on the left menu

  4. Click Add Permission button, and select Microsoft Graph, then Delegated permissions

  5. Check the following delegated permissions: Directory.Read.All, email, Mail.Send, Mail.Send.Shared, openid, profile, offline_access, User.Read and User.Read.All then click Add permissions button to add them.

  6. Click Add Permission button, and select Microsoft Graph, then Application permissions

  7. Check the following application permissions: Calendars.Read, Channel.ReadBasic.All, ChannelMessage.Read.All, Chat.Read.All, ChatMessage.Read.All, Contacts.Read, Directory.Read.All, Domain.Read.All, Group.Read.All, Mail.Read, Notes.Read.All and User.Read.All then click Add permissions button to add them.

  8. Click Add Permission button, select "APIs my organization uses", type "office 365" in the search, select "Office 365 Exchange Online". Select Application permission. Add the permission IMAP.AccessAsApp.

  9. Click "Grant Admin consent" button, then click Yes button.
  10. Click "Enterprise applications" hyperlink at the bottom. Click "Grant Admin Consent" button. You will be prompted for permission to consent. Click Accept.
Note: The Reply URL must match exactly the Authentication Callback URL defined in Step 7 below. For more information on Reply URL definition, refer to Azure Troubleshooting.

 

Step G. Setup Azure authentication (optional)

 

This optional step configures MailArchiva to authenticate Office 365 users residing in Azure. Once setup correctly, it is possible for users to login to MailArchiva using their Azure credentials.


From within the MailArchiva Console:

 

  1. Login to the MailArchiva Console
  2. Select Configuration->Login, Select Console Method "Azure"
  3. In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure application created in Step A above.
  4. In Client ID, copy and paste the Application (client) ID displayed in the application Overview in Azure application created in Step A above.
  5. In the Private Key field, select the certificate created in Step B above.
  6. In the Issuer URL field, enter "https://login.microsoftonline.com/[tenant ID]/v2.0" (replacing tenant ID)
  7. In Authentication Callback URL, enter "http://localhost:8090/authorize.do" (this URL must be equivalent to Reply URL added in Step F7 above)
  8. Leave Auto Discovery checked.
  9. Click Save
  10. Click "Request Admin Consent" button (this process starts the Office 365 consent process)
  11. You will be redirected to Office 365 login
  12. Login using Office 365, login using Office 365 admin credentials
  13. Accept permissions
  14. Access http://localhost:8090/signonform.do to access MailArchiva login
  15. Log back into MailArchiva as admin user
  16. Click Configuration->Logins
  17. Next, assign Office 365 Admin to the MailArchiva Admin Role
  18. Click the New Role Assignment button
  19. Select Administrator in Role
  20. Click Lookup button next to the Attribute Field
  21. In the lookup dialog, enter the email address of the Office 365 Administrator. Click Lookup
  22. A list of Azure attributes will be shown. Select memberOf "Company Administrator"
  23. Click Save
  24. To test the login, logout, and hit "http://localhost:8090"
  25. You should be directed to the Windows Azure Login page.
  26. If you are unable to login, enter "http://localhost:8090/signonform.do" to login using a super user admin account.

 

Upgrade Note: The only authorization URL is no longer valid.  The Issuer URL field should be set to "https://login.microsoftonline.com/[tenant ID]/v2.0" with auto discovery enabled.

 

Note: For the authentication process to work, the MailArchiva web console must be accessed from a web browser using the same domain as specified in the Authentication Callback / Reply URL. In the example above, the MailArchiva console would be accessed using the URL: "http://localhost:8090".

 

Note: If locked out of the console, access the fallback login page at "http:localhost:8090/signonform.do" to login as admin.

 

Note: See Azure Authentication Troubleshooting if you have difficulties getting Azure authentication to work.


 

Step H. Setup Office 365 connection (optional)
 

This optional step involves setting Office 365 Connection i, such that it can synchronize folders structures and import data.
 

From within the Azure Portal:

 

  1. Login to Azure Portal.
  2. Click Azure Active Directory, then App Registrations
  3. Select the MailArchiva application created in Step A above.
  4. Click Manifest to edit the Manifest.
  5. Click Download to download the manifest file.
  6. Don't close the Azure page (we will need later to upload adjustments to the Manifest file).

From within the MailArchiva Console:
 

  1. Login to MailArchiva Console
  2. Click Configuration->Connections
  3. Select Office 365, then click New Connection
  4. In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure.
  5. In Client ID, copy and paste the Application (client) ID displayed in the Application Overview in Azure. Click Save
  6. Click the Update Manifest button
  7. Select the manifest downloaded from Azure earlier.
  8. In storage alias, enter "office365".
  9. In Common Name, enter "office365.mailarchiva.com"
  10. In Org Unit, Org, City, State and Country enter your company details.
  11. Click the Update Manifest button to create an X509 certificate and update the manifest file.
  12. When complete, a download manifest link will appear. Click it and save the manifest file to the desktop.
  13. Click Close to close the popup window, then click Save to save the configuration.Update Manifest
  14. Refresh the browser page so that the Service Account Private Key will re-populate.
  15. In Private Key, select the storage alias specified in step 17 above.
  16. In "Mail from" field, enter the email address of the admin user.
  17. If folder synchronization is desirable, refer to Folder synchronization step described further below.
  18. Click Save to save the configuration.

From within the Azure Portal:

 

  1. On the Edit manifest page, click the Upload button to upload the modified manifest file at Step 21 above.

From MailArchiva Console:

    In the Office 365 connection, click Test Connection to verify that MailArchiva is able to sync with O365. If the test is successful, enable the connection and click Save.
Note: Any time the MailArchiva Application permissions are modified in Azure, the consent process must be re-initiated by clicking either on "Request Admin Consent" in Configuration->Logins or "Get Admin Consent" in Configuration->Connection-Exchange Connection.

 

 

Step I. Synchronize folder structures (optional)

 

Note: This feature requires MailArchiva 8.10.0 or higher. 

MailArchiva has the ability to synchronize folder structures with Office 365. Microsoft Office 365 transmits folder synchronization data to a web hook URL (.e.g. https://mailarchiva.company.com/o365) accessible from outside your network. 
 
Before proceeding with configuration, ensure that MailArchiva's web console is secured using TLS.
 
Note: Microsoft Office 365 doesn't yet appear to support elliptic curve certificates. Thus, ensure the certificate securing the web console is RSA based.
 
To enable folder synchronization, setup an Office 365 Connection such that MailArchiva is able to establish a connection to Office 365 Graph Api. 
 

In Configuration->Connections->Office 365 connection...
 

  1. Specify the webhook URL as the equivalent of https://mailarchiva.company.com/o365 (replace FQDN with your local domain while preserving the o365 prefix).
  2. Leave the server port as 8888 since MailArchiva will automatically proxy HTTPS requests targeting the webhook URL to port 8888 on localhost.
  3. Check the "synchronize" checkbox. Save the config. Henceforth, Office 365 will attempt to send synchronization traffic to the webhook address on port 443.
     

 Ensure that Office 365 is able to access the webhook URL (specified above) via HTTPS from outside your network. This can be achieved as follows..

 

  1. If necessary, create an A Record using your DNS provider's editor, with the name "mailarchiva" pointing to an IP address assigned to the edge of your network.
  2. Use a browser to access https://mailarchiva.company.com/o365 from outside your network to verify that the A record is defined correctly and the port forward rule is working as expected. If the port forwarding is setup right, the browser should output the response: Failure: 405 Method Not Allowed
  3. If everything is defined correctly in the Status->Charts section, you should begin to see sync bars. In the Search interface, user folder structures should begin to appear.
  4. If no bars are appearing, double-check the configuration, uncheck the enable button, click Save, then recheck the enable button, click Save again. Recheck the charts.


Putting it all together

 

Always ensure that MailArchiva is being accessed using the same domain as specified in the Authentication Callback URL (defined in MailArchiva) / Reply URL (defined in Azure).

 

From MailArchiva Console:

 

  1. Click Status->Charts to verify whether archiving traffic is being received and archived. If not, refer to Archiving Stopped for possible solutions.
  2. By default, MailArchiva will only archive new messages from the point at which archiving is enabled.
  3. To import historical mail, from Configuration->Volumes, then click Import, select the desired Exchange Client Connection, and click Import.

 

 

IMAP journaling (deprecated)

 

Deprecation Note: Using IMAP to retrieve journaling data from Office 365 is no longer feasible, since Microsoft now prevents new journal rules from forwarding traffic to local mailbox hosted in Office 365.

 

There are two different approaches to archiving emails from MS Exchange:

 

Option 1) IMAP journaling - Create a journal mailbox in Exchange Online, and then poll the journal mailbox continuously using IMAP. The advantage is there is no need to open a port on the firewall. The disadvantage is that polling is less efficient.
Option 2) SMTP journaling - Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.

 

Choose between either of these approaches. The SMTP approach comes most recommended as it is less resource intensive, but does require that an incoming port is forwarded on the company firewall. The advantage of the IMAP journaling method is that there is no need to open an outside port on the company firewall. The disadvantage is that a journal mailbox must be created and assigned.

 

Option 1) IMAP journaling

 

IMAP Note: Journaling using the IMAP protocol with OAUTH authentication requires a minimum of steps A, B, C1, D1 and E1 to be completed. 

 

Step J1. Create IMAP journaling rule

 

  1. Visit Microsoft Admin Center
  2. In Active users on the left menu, click Add a user. 
  3. In First name, Display name and username fields, enter "journal".
  4. Uncheck "Require this user to change their password when they first login"
  5. Click Next to complete the journal mailbox creation.
  6. Click on the newly created journal rule to open its properties. In the General tab, click "Manage email apps settings" and ensure that IMAP access is enabled.
  7. Visit Microsoft Purview in a web browser
  8. Select Data lifecycle management from the left menu, then Exchange (legacy)
  9. Select Journal Rules from the sub menu at the top right
  10. Create the New Rule
  11. In "Send journal reports to", select journal mailbox. In the name field, enter journal.
  12. In "if the message is sent to or received from..." select Apply to all messages.
  13. In "journal the following messages" select all messages. Click Create.
     

Step D1. Grant journal mailbox access permission

 

Avoid the gotcha:  Please do not make the common mistake of copying the Object ID in the first step below from the app's Azure registration page as defined in Step A above. The Object ID must be taken from the Enterprise Applications section in the Azure portal. (it is different from App Registration page in Azure!)

 

  1. Login to the Azure Portal. Open Enterprise Applications (not App registration!). 
  2. Select the MailArchiva application created earlier. Leave the page open as a reference.
  3. Open Windows Powershell on any computer running Windows 11.
  4. Type the command "Import-Module ExchangeOnlineManagement"
  5. Connect to Exchange Online, by typing the equivalent of:
    Connect-ExchangeOnline -UserPrincipalName admin@company.com ( i.e. replaced with user principal name of Office 365 admin user )imap connection
  6. Type the command below to create a service principal:
    New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> ( both values taken from Azure Enterprise Application -> Properties )
  7. Type "Get-ServicePrincipal | fl". Take note of the Service ID listed in the output.
  8. Input the command below to create a mailbox:
    Add-MailboxPermission -Identity "journal@company.com" -User <SERVICE_ID> -AccessRights FullAccess


Step J1. Create IMAP connection

 

  1. Login to MailArchiva, click Configuration->Client Connections->Select IMAP Connection->Click New Connection.
  2. Enter outlook.office365.com in the server address field.
  3. Select Auth Method as OAUTH2.
  4. In Username, enter the journal account email (e.g. journal@company.com)
  5. In Token, select Office 365.
  6. Save the connection. Click Test Connection to verify. 
  7. If all is well, check Enabled and click Save.

 

If the IMAP test connect fails, please retrace the steps above or follow these troubleshooting steps.

Was this information helpful?
© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-