As you get ready to decommission legacy Exchange servers after the transition to Exchange Server 2007 or 2010 you might be concerned about any remaining devices or hosts that are using the server for SMTP traffic.
It has been my experience that no matter how well managed or documented an environment is, there is always some application or device that nobody thinks of that is relaying email through the Exchange server. Whether its a custom app that some developer is running on his workstation, or a printer that does scan-to-email, something is bound to break when you remove the Exchange server.
Fortunately you can just about eliminate this risk with a little log monitoring on the Exchange 2003 server. This is best performed after you have migrated all data and known services away from the server, to minimise the amount of potential traffic you pick up in the monitoring.
The first step is to enable logging of SMTP traffic on the server. Open Exchange System Manager and navigate to the SMTP Virtual Server.
Open the properties of the SMTP Virtual Server. Tick the box to enable logging.
Leave the log format as “W3C Extended” and click the Properties button. Take note of the log file directory, and I also always enable local time for log naming and rollover
Click on the Advanced tab and enable at a minimum the Client IP Address. I also include the Date and Time, and depending on your environment there may be other extended properties that you should enable.
Click OK, OK, etc to apply the new configuration. You can now wait for as long as you deem necessary to capture any remaining SMTP traffic that is traversing the server. I aim for 48 hours but in some environments a longer period would be appropriate.
Once the logging has been enabled and allowed to run for a while you’ll have one or more log files in the log file directory.
If you look in a log file you’ll see a list of IP addresses that have connected to the server for SMTP. A typical SMTP session will generate more than one line of logging, so this means potentially hundreds or thousands of lines of logging, maybe over multiple log files, that need to be consolidated down into a list of unique IP addresses.
This consolidation is made easy thanks to Logparser. Download and install Logparser, and then launch it from the Start Menu.
A very simple query to extract the unique IP addresses from the SMTP log files looks like this:
C:\Program Files\Log Parser 2.2>LogParser -i:IISW3C "SELECT DISTINCT c-ip FROM 'C:\WINDOWS\system32\LogFiles\SMTPSVC1\*.*'" ------------ 192.168.0.2 192.168.0.101 192.168.0.110 Statistics: ----------- Elements processed: 8181 Elements output: 3 Execution time: 0.09 seconds
You have now got a nice short list of IP addresses that are using the server for SMTP communications and can go and investigate the applications or device configs that are causing it, before you shut down the legacy servers for good.