Microsoft 365 (i.e. Office 365)
MailArchiva brings advanced e-Discovery capabilities to Microsoft Office 365. Full email journaling, calendar, contact, and folder synchronization are available.
MailArchiva Cloud setup - Easy setup instructions for the MailArchiva Cloud
MailArchiva On-Premise setup - Office 365 integration for MailArchiva On-Premise (advanced)
MailArchiva Cloud setup
Visit https://office365.archiva.com (USA) or https://office365.mailarchiva.eu (EU) and signup to the MailArchiva Cloud.
After signup, create a journal rule as described below.
Create a journal rule
This step involves configuring Office 365 to forward journaling traffic to the MailArchiva Cloud SMTP server.
From within the Exchange Admin Center:
- Visit Microsoft Purview
- In the Admin section on the left, click Exchange
- Select Data lifecycle management from the left menu, then Exchange
- Select Journal Rules from the sub menu at the top right
- If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent.
- Press "+" to create a new journal rule
- In Send Journal Reports To field, enter:
if registered on USA (archiva.com) site: [value of journal recipient field in MailArchiva Web Console->System Status]@archive.archiva.com (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.archiva.com)
if registered on EU (mailarchiva.eu) site: [value of journal recipient field in MailArchiva Web Console->System Status]@archive.mailarchiva.eu (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.mailarchiva.eu) - In Name field, enter "archiva"
- In the "If the message is sent to or received from.." field, select "Apply to All Messages"
- In "Journal the following messages.." select "All messages"
- Click Save.
Create a dedicated send connector
To ensure that your mail security solution doesn't inadvertently block journal emails sent to MailArchiva, it is prudent to create a dedicated send connector as per instructions below.
- Visit https://admin.exchange.microsoft.com using a web browser. Login to Microsoft 365 (as necessary).
- Click Mail flow on the left menu, then Connectors in the sub-menu.
- Click + to add a connector.
- In 'Connection from', select Office 365. In 'Connection to', select 'Partner organization'. Click Next.
- In Name, enter MailArchiva. Leave Turn It On checked
- Select 'Only when messages are sent to these domains'. Enter archive.archiva.com, then click +. Enter archive.mailarchiva.eu, then click +. Click Next.
- Select 'Use the MX record associated with partner's domain', click Next.
- Select 'Always use Transport Layer Security (TLS) to secure the connection'.
- Select 'Issued by a trusted certificate authority (CA)', Click Next
- In validation email, enter either archive@archive.archiva.com (for USA site) or archive@archive.mailarchiva.eu (for EU site), click +, then click Validate button.
- Login to MailArchiva's search interface and verify that the test email has arrived. Click Next.
- Click Create connector.
- Click Done.
After the above steps are completed, MailArchiva should begin receiving journaling traffic. Click Search to see the email appearing in the search results.
MailArchiva Cloud offers a 30-day free trial, after which, if you wish to continue your use of the service, it is necessary to purchase a subscription.
MailArchiva On-Premise setup
Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.
Step A. Install a digital certificate
Office 365 journaling may not work over an insecure connection; the use of SMTP/TLS may be required.
Furthermore, if using Azure authentication (not journaling), the console may need to be secured using HTTP/S. In this case, follow the Secure Access steps to install a certificate and enable HTTP/S.
Step B. Port forward
Create a rule on the organization's firewall to forward incoming SMTP traffic from port 25 on a public IP address to port 25 on the local IP address of the MailArchiva server running within the organization's network.
Step C. Create DNS record
Edit the organization's DNS settings. Create an A record for MailArchiva on your company domain, so that, for example, mailarchiva.company.com points to the external IP address referenced in Step 1.
Step D. Create an SMTP listener
- In the MailArchiva Console, Click Configuration->Listeners
- Select SMTP Listener in the dropdown and then click the New Listener button.
- Check "Listen for incoming Exchange/SMTP requests"
- Set the SMTP port as 25
- Set certificate authentication to MailArchiva certificate store. Click Save
Step E. Create a journal rule
This step involves configuring Office 365 to forward journaling traffic to MailArchiva On Premise.
From within the Exchange Admin Center:
- Visit Office 365 Portal and click Admin
- In the Admin section on the left, click Exchange
- Select Compliance Management from the left menu
- Select Journal Rules from the sub menu at the top right
- If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent
- Press "+" to create a new journal rule
- In "Send Journal Reports To" field, enter archive@mailarchiva.company.com (where mailarchiva.company.com is the fully qualified domain name of the MailArchiva server [not an email address] created in Step 2 above.)
- In "Name" field, enter "archiva".
- In "If the message is sent to or received from.." field, select "Apply to All Messages"
- In "Journal the following messages.." select "All messages". Click Save
At this stage, MailArchiva should receive journaling traffic. Send an internal test message, and examine the charts in Status->Charts to see incoming traffic appearing.
Optional MailArchiva On-Premise setup steps
Step F. Create MailArchiva application (optional)
This optional step involves creating and configuring a MailArchiva application in Azure. This application is needed to setup Azure authentication as it authorizes MailArchiva to access Azure's API.
- Log in to your Office 365 Admin Center as an administrator.
- Access the Azure Portal, then Azure Active Directory.
-
Click App Registrations, then "+" to create a New Application registration
-
Enter the name of the application (e.g. MailArchiva)
- Select Accounts in this organizational directory only (.. Single tenant)
-
Select Web as application type
-
Type the equivalent of "http://localhost:8090/authorize.do" in the Reply URI (e.g. Replace localhost with the desired FQDN. e.g. https://mailarchiva.company.com/authorize.do)
-
Click Register
-
Select the newly created app
-
Click Api Permissions on the left menu
-
Click Add Permission button, and select Microsoft Graph, then Delegated permissions
-
Check the following delegated permissions: Directory.Read.All, email, Mail.Send, Mail.Send.Shared, openid, profile, offline_access, User.Read and User.Read.All then click Add permissions button to add them.
-
Click Add Permission button, and select Microsoft Graph, then Application permissions
-
Check the following application permissions: Calendars.Read, Channel.ReadBasic.All, ChannelMessage.Read.All, Chat.Read.All, ChatMessage.Read.All, Contacts.Read, Directory.Read.All, Domain.Read.All, Group.Read.All, Mail.Read, Notes.Read.All and User.Read.All then click Add permissions button to add them.
-
Click Add Permission button, select "APIs my organization uses", type "office 365" in the search, select "Office 365 Exchange Online". Select Application permission. Add the permission IMAP.AccessAsApp.
- Click "Grant Admin consent" button, then click Yes button.
- Click "Enterprise applications" hyperlink at the bottom. Click "Grant Admin Consent" button. You will be prompted for permission to consent. Click Accept.
Step G. Setup Office 365 connection (optional)
From within the Azure Portal:
- Login to Azure Portal.
- Click Azure Active Directory, then App Registrations
- Select the MailArchiva application created in Step A above.
- Click Manifest to edit the Manifest.
- Click Download to download the manifest file.
- Don't close the Azure page (we will need later to upload adjustments to the Manifest file).
From within the MailArchiva Console:
- Login to MailArchiva Console
- Click Configuration->Connections
- Select Office 365, then click New Connection
- In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure.
- In Client ID, copy and paste the Application (client) ID displayed in the Application Overview in Azure. Click Save
- Click the Update Manifest button
- Select the manifest downloaded from Azure earlier.
- In storage alias, enter "office365".
- In Common Name, enter "office365.mailarchiva.com"
- In Org Unit, Org, City, State and Country enter your company details.
- Click the Update Manifest button to create an X509 certificate and update the manifest file.
- When complete, a download manifest link will appear. Click it and save the manifest file to the desktop.
- Click Close to close the popup window, then click Save to save the configuration.
- Refresh the browser page so that the Service Account Private Key will re-populate.
- In Private Key, select the storage alias specified in step 17 above.
- In "Mail from" field, enter the email address of the admin user.
- If folder synchronization is desirable, refer to Folder synchronization step described further below.
- Click Save to save the configuration.
From within the Azure Portal:
- On the Edit manifest page, click the Upload button to upload the modified manifest file at Step 21 above.
From MailArchiva Console:
Step H. Setup Azure authentication (optional)
This optional step configures MailArchiva to authenticate Office 365 users residing in Azure. Once setup correctly, it is possible for users to login to MailArchiva using their Azure credentials.
From within the MailArchiva Console:
- Login to the MailArchiva Console
- Select Configuration->Login, Select Console Method "Azure"
- In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure application created in Step A above.
- In Client ID, copy and paste the Application (client) ID displayed in the application Overview in Azure application created in Step A above.
- In the Private Key field, select the certificate created in Step G above.
- In the Issuer URL field, enter "https://login.microsoftonline.com/[tenant ID]/v2.0" (replacing tenant ID)
- In Authentication Callback URL, enter "http://localhost:8090/authorize.do" (this URL must be equivalent to Reply URL added in Step F7 above)
- Leave Auto Discovery checked.
- Click Save
- Click "Request Admin Consent" button (this process starts the Office 365 consent process)
- You will be redirected to Office 365 login
- Login using Office 365, login using Office 365 admin credentials
- Accept permissions
- Access http://localhost:8090/signonform.do to access MailArchiva login
- Log back into MailArchiva as admin user
- Click Configuration->Logins
- Next, assign Office 365 Admin to the MailArchiva Admin Role
- Click the New Role Assignment button
- Select Administrator in Role
- Click Lookup button next to the Attribute Field
- In the lookup dialog, enter the email address of the Office 365 Administrator. Click Lookup
- A list of Azure attributes will be shown. Select memberOf "Company Administrator"
- Click Save
- To test the login, logout, and hit "http://localhost:8090"
- You should be directed to the Windows Azure Login page.
- If you are unable to login, enter "http://localhost:8090/signonform.do" to login using a super user admin account.
Step I. Synchronize folder structures (optional)
MailArchiva has the ability to synchronize folder structures with Office 365. Microsoft Office 365 transmits folder synchronization data to a web hook URL (.e.g. https://mailarchiva.company.com/o365) accessible from outside your network.
In Configuration->Connections->Office 365 connection...
- Specify the webhook URL as the equivalent of https://mailarchiva.company.com/o365 (replace FQDN with your local domain while preserving the o365 prefix).
- Leave the server port as 8888 since MailArchiva will automatically proxy HTTPS requests targeting the webhook URL to port 8888 on localhost.
- Check the "synchronize" checkbox. Save the config. Henceforth, Office 365 will attempt to send synchronization traffic to the webhook address on port 443.
Ensure that Office 365 is able to access the webhook URL (specified above) via HTTPS from outside your network. This can be achieved as follows..
- If necessary, create an A Record using your DNS provider's editor, with the name "mailarchiva" pointing to an IP address assigned to the edge of your network.
- Use a browser to access https://mailarchiva.company.com/o365 from outside your network to verify that the A record is defined correctly and the port forward rule is working as expected. If the port forwarding is setup right, the browser should output the response: Failure: 405 Method Not Allowed
- If everything is defined correctly in the Status->Charts section, you should begin to see sync bars. In the Search interface, user folder structures should begin to appear.
- If no bars are appearing, double-check the configuration, uncheck the enable button, click Save, then recheck the enable button, click Save again. Recheck the charts.
Putting it all together
Always ensure that MailArchiva is being accessed using the same domain as specified in the Authentication Callback URL (defined in MailArchiva) / Reply URL (defined in Azure).
From MailArchiva Console:
- Click Status->Charts to verify whether archiving traffic is being received and archived. If not, refer to Archiving Stopped for possible solutions.
- By default, MailArchiva will only archive new messages from the point at which archiving is enabled.
- To import historical mail, from Configuration->Volumes, then click Import, select the desired Exchange Client Connection, and click Import.
IMAP journaling (deprecated)
There are two different approaches to archiving emails from MS Exchange:
Option 1) IMAP journaling - Create a journal mailbox in Exchange Online, and then poll the journal mailbox continuously using IMAP. The advantage is there is no need to open a port on the firewall. The disadvantage is that polling is less efficient.
Option 2) SMTP journaling - Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.
Choose between either of these approaches. The SMTP approach comes most recommended as it is less resource intensive, but does require that an incoming port is forwarded on the company firewall. The advantage of the IMAP journaling method is that there is no need to open an outside port on the company firewall. The disadvantage is that a journal mailbox must be created and assigned.
Option 1) IMAP journaling
Step J1. Create IMAP journaling rule
- Visit Microsoft Admin Center
- In Active users on the left menu, click Add a user.
- In First name, Display name and username fields, enter "journal".
- Uncheck "Require this user to change their password when they first login"
- Click Next to complete the journal mailbox creation.
- Click on the newly created journal rule to open its properties. In the General tab, click "Manage email apps settings" and ensure that IMAP access is enabled.
- Visit Microsoft Purview in a web browser
- Select Data lifecycle management from the left menu, then Exchange (legacy)
- Select Journal Rules from the sub menu at the top right
- Create the New Rule
- In "Send journal reports to", select journal mailbox. In the name field, enter journal.
- In "if the message is sent to or received from..." select Apply to all messages.
- In "journal the following messages" select all messages. Click Create.
Step D1. Grant journal mailbox access permission
- Login to the Azure Portal. Open Enterprise Applications (not App registration!).
- Select the MailArchiva application created earlier. Leave the page open as a reference.
- Open Windows Powershell on any computer running Windows 11.
- Type the command "Import-Module ExchangeOnlineManagement"
- Connect to Exchange Online, by typing the equivalent of:
Connect-ExchangeOnline -UserPrincipalName admin@company.com ( i.e. replaced with user principal name of Office 365 admin user ) - Type the command below to create a service principal:
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> ( both values taken from Azure Enterprise Application -> Properties ) - Type "Get-ServicePrincipal | fl". Take note of the Service ID listed in the output.
- Input the command below to create a mailbox:
Add-MailboxPermission -Identity "journal@company.com" -User <SERVICE_ID> -AccessRights FullAccess
Step J1. Create IMAP connection
- Login to MailArchiva, click Configuration->Client Connections->Select IMAP Connection->Click New Connection.
- Enter outlook.office365.com in the server address field.
- Select Auth Method as OAUTH2.
- In Username, enter the journal account email (e.g. journal@company.com)
- In Token, select Office 365.
- Save the connection. Click Test Connection to verify.
- If all is well, check Enabled and click Save.
If the IMAP test connect fails, please retrace the steps above or follow these troubleshooting steps.
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.