有没有办法查看经过身份验证的 SMTP 会话?
我们在一天中的不同时段收到大量 SMTP 流量。我想要查看哪些用户在那些时段发送了 SMTP 消息。
这可能吗?
在接收连接器上启用日志记录后,这是一个典型的事务。但没有列出 SMTP 用户...
接收连接器 - SERVER01,08D0E9538D1F8114,0,10.1.1.251:25,109.154.177.81:3983,+,, 2014-01-28T12:44:18.548Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,1,10.1.1.251:25,109.154.177.81:3983,,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,设置会话权限 2014-01-28T12:44:18.548Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,2,10.1.1.251:25,109.154.177.81:3983,>,"220 mailgate.ourserver.co.uk Microsoft ESMTP MAIL 服务已于 2014 年 1 月 28 日星期二 12:44:17 +0000 准备就绪",2014-01-28T12:44:18.570Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,3,10.1.1.251:25,109.154.177.81:3983,<,EHLO host109-157-239-12.range109-157.btcentralplus.com, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,4,10.1.1.251:25,109.154.177.81:3983,>,250-mailgate.ourserver.co.uk 你好 [109.154.177.81], 2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,5,10.1.1.251:25,109.154.177.81:3983,>,250-SIZE,2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,6,10.1.1.251:25,109.154.177.81:3983,>,250-PIPELINING,2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,7,10.1.1.251:25,109.154.177.81:3983,>,250-DSN,2014-01-28T12:44:18.570Z,SERVER01 \默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,8,10.1.1.251:25,109.154.177.81:3983,>,250-ENHANCEDSTATUSCODES,2014-01-28T12:44:18.570Z,SERVER01 \默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,9,10.1.1.251:25,109.154.177.81:3983,>,250-AUTH,2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,10,10.1.1.251:25,109.154.177.81:3983,>,250-8BITMIME,2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,11,10.1.1.251:25,109.154.177.81:3983,>,250-BINARYMIME,2014-01-28T12:44:18.570Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,12,10.1.1.251:25,109.154.177.81:3983,>,250 CHUNKING,2014-01-28T12:44:18.600Z,SERVER01 \默认互联网接收连接器 - SERVER01,08D0E9538D1F8114,13,10.1.1.251:25,109.154.177.81:3983,<,MAIL FROM:,2014-01-28T12:44:18.600Z,SERVER01\默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,14,10.1.1.251:25,109.154.177.81:3983,,08D0E9538D1F8114;2014-01-28T12:44:18.548Z;1,接收消息 2014-01-28T12:44:18.600Z,SERVER01 \默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,15,10.1.1.251:25,109.154.177.81:3983,<,RCPT TO:,2014-01-28T12:44:18.600Z,SERVER01 \默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,16,10.1.1.251:25,109.154.177.81:3983,<,DATA,2014-01-28T12:44:18.600Z,SERVER01\默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,17,10.1.1.251:25,109.154.177.81:3983,>,250 2.1.0 发送方 OK,2014-01-28T12:44:18.600Z,SERVER01\默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,18,10.1.1.251:25,109.154.177.81:3983,>,250 2.1.5 收件人 OK,2014-01-28T12:44:18.600Z,SERVER01 \ Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,19,10.1.1.251:25,109.154.177.81:3983,>,354 开始邮件输入;以 . 结尾,2014-01-28T12:44:22.910Z,SERVER01 \ 默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,20,10.1.1.251:25,109.154.177.81:3983,*,由于“DelayedAck”,Tarpit 为“0.00:00:04.138”,已交付 2014-01-28T12:44:22.910Z,SERVER01 \ 默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,21,10.1.1.251:25,109.154.177.81:3983,>,250 2.6.0 [InternalId=687815] 排队等待投递的邮件,2014-01-28T12:44:22.958Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,22,10.1.1.251:25,109.154.177.81:3983,<,QUIT,2014-01-28T12:44:22.958Z,SERVER01\Default Internet 接收连接器 - SERVER01,08D0E9538D1F8114,23,10.1.1.251:25,109.154.177.81:3983,>,221 2.0.0 服务正在关闭传输通道, 2014-01-28T12:44:22.959Z,SERVER01 \默认 Internet 接收连接器 - SERVER01,08D0E9538D1F8114,24,10.1.1.251:25,109.154.177.81:3983,-,,本地
答案1
您可以启用 SMTP 日志记录(默认情况下禁用),然后查看实际的 SMTP 事务本身。当然。
看这里:http://exchangepedia.com/2007/05/exchange-server-2007-logging-smtp-protocol-activity.html
在接收连接器上启用协议日志记录
要在接收连接器上启用协议日志记录,请使用以下命令:
Set-ReceiveConnector “Connector Name” -ProtocolLoggingLevel verbose在发送连接器上启用协议日志记录
与 Exchange Server 2003/2000 不同,您必须为发送连接器(用于向 Exchange 组织外部发送邮件,发送连接器相当于 Exchange 2003/2000 中的 SMTP 连接器)单独启用日志记录,使用以下命令:
Set-SendConnector “Send Connector Name” -ProtocolLoggingLevel verbose除了可见的接收和发送连接器之外,还有一个不可见的发送连接器隐藏在幕后 - 用于在组织内部、集线器传输服务器、边缘传输服务器和 Exchange Server 2003/2000 服务器之间传输消息。它是组织内部发送连接器。如果您使用 get-SendConnector 命令,您将不会在控制台或 shell 中看到它。要为此组织内部发送连接器配置协议日志记录,请执行以下操作:
Set-TransportServer “TRANSPORT SERVER NAME” -IntraOrgConnectorProtocolLoggingLevel verbose
接收连接器日志位于:
Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
发送连接器日志位于:
Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend
链接作者:Bharat Suneja,2007 年 5 月 3 日