Logging SMTP Protocol Activity in Exchange 2013/2010 and Exchange 2007

by Bharat Suneja

I wrote about logging SMTP protocol activity in Exchange Server 2003 in what is one of the most popular posts on Exchangepedia. Starting with Exchange Server 2007, Exchange discontinued using the SMTP stack in IIS and developed its own SMTP stack. I like to think of it as smarter or more intelligent Receive Connectors (these are protocol listeners, roughly equivalent or comparable to the SMTP Virtual Server we’ve known from Exchange Server 2003/2000).

SMTP logging not enabled by default

I hoped to see (SMTP) protocol logging turned on by default on SMTP Send Connectors and Receive Connectors in Exchange 2007 and later, but this is one aspect that hasn’t changed. Yes, SMTP logging is still not enabled by default! You have to remember to enable SMTP logging on transport servers.

Enable protocol logging on a Receive Connector

To enable protocol logging on Receive Connectors, use the following command:

Set-ReceiveConnector “Connector Name” -ProtocolLoggingLevel verbose

To enable it on all Receive Connectors, you can use pipelining in PowerShell:

Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLoggingLevel verbose

If you’re wondering whether there are any choices for the logging level – there aren’t. It’s either verbose or none.

To enable SMTP protocol logging from the EMC:

  1. Expand the Server Configuration | Hub Transport node
  2. Select the Hub Transport server you want to configure, and then select the Receive Connector -> Properties
  3. On the General tab, change the Protcol logging level to Verbose, as shown in the screenshot below.

Enable SMTP protocol logging on a Receive Connector in Exchange 2010
Figure 1: Enabling SMTP logging on a Receive Connector

Enable protocol logging on a Send Connector

Unlike Exchange Server 2003/2000, you have to enable logging separately for Send Connectors (used to send mail outside the Exchange organization, Send Connectors are equivalent of SMTP Connectors in Exchange 2003/2000), using the following command:

Set-SendConnector “Send Connector Name” -ProtocolLoggingLevel verbose

To enable protocol logging on a Send Connector using the EMC:

  1. Expand the Organization Configuration | Hub Transport node
  2. On the Send Connectors tab, select the Send Connector -> properties
  3. On the General tab, change the Protocol logging level to verbose, as shown in the following screenshot.

Enable SMTP protocol logging on a Send Connector in Exchange 2010
Figure 2: Enabling SMTP logging on a Send Connector

Besides the visible Receive and Send connectors, an invisible Send Connector lurks under the hood – used to transport messages within the organization, between Hub Transport servers, Edge Transport servers, and Exchange Server 2003/2000 servers. It’s the Intra-Organization Send Connector. You won’t see it in the console, or in the shell if you use the get-SendConnector command. To configure protocol logging for this Intra-Organization Send Connector:

Set-TransportServer “TRANSPORT SERVER NAME” -IntraOrgConnectorProtocolLoggingLevel verbose

Where do protocol logs reside?

Unlike Exchange Server 2003/2000, which maintain separate protocol logs for each SMTP Virtual Server, all Receive Connectors share SMTP receive logs. Similarly, Send Connectors share SMTP send logs.

Receive Connector logs are located in:

Exchange version Log Default location
Exchange 2010 Receive Connector \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
Exchange 2010 Send Connector \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend
Exchange 2007 Receive Connector \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Exchange 2007 Send Connector \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

Change SMTP log paths

It’s generally a good idea to not locate Exchange data, including Exchange mailbox and public folder databases, transaction logs, and all other logs on the system drive.

This command changes the path of SmtpReceive logs:

Set-TransportServer “TRANSPORT SERVER NAME” -ReceiveProtocolLogPath “D:\New SmtpReceive Log File Directory”

This command changes the path of SmtpSend logs:

Set-TransportServer “TRANSPORT SERVER NAME” -SendProtocolLogPath “D:\New SmtpSend Log File Directory”

Permissions on the log directory

If you do decide to change the path, ensure the new directories/folders exist with appropriate permissions:

  • Administrator: Full Control
  • System: Full Control
  • Network Service: Read, Write, and Delete Subfolders and Files

For more details, see “How to Configure Protocol Logging” in the product documentation.

Controlling protocol log size

Since SMTP support was provided by IIS, SMTP logging options were also controlled in IIS. IIS did not provide a way to control the disk space occupied by SMTP logs. As a a result, you had to archive or clean up the log directory manually, or automate it using a script. SMTP logging was one of the culprits that contributed to disk volumes on Exchange 2003/2000 servers running out of disk space.

In Exchange 2010/2007, you can control the following options:

  • ReceiveProtocolLogMaxAge: the maximum age of a receive log. Files older than the specified age are removed.
  • ReceiveProtocolLogMaxDirectorySize: the maximum size of the directory. This ensures the protocol logs for a Receive Connector do not exceed a fixed size.
  • ReceiveProtocolLogMaxFileSize: the maximum size of a single log file. When the active log file reaches this size, it’s rolled over and a new log file created.

Similarly, protocol logs for Send Connectors can be controlled using the following parameters:

  • SendProtocolLogMaxAge
  • SendProtocolLogMaxDirectorySize
  • SendProtocolLogMaxFileSize

The default parameters work for most deployments, and ensures you don’t have to worry about purging the logs manually over time, or scheduling a script to do this periodically. You may want to observe the logs created in your environment to determine if these are sufficient, depending on the traffic and number of days worth of logs you want to keep around for troubleshooting.

SMTP logs are an important troubleshooting tool – enabling SMTP logging after the fact isn’t any help when troubleshooting SMTP mail flow.

Related posts and links:

Tags
       

{ 10 comments… read them below or add one }

Anonymous June 11, 2007 at 11:52 pm

Hi, the command is “set-transportserver “servername” -IntraOrgConnectorPROTOCOLLogginglevel verbose , not IntraOrgConnectorLogginglevel

Reply

Bharat Suneja June 12, 2007 at 7:03 am

Thanks for catching that – it should be -IntraOrgConnectorProtocolLoggingLevel. Corrected.

Reply

Juan Trevino July 14, 2010 at 10:13 pm

Any way to adjust the recorded time zone like in 2003?

Reply

Bharat Suneja July 22, 2010 at 12:07 pm

@Juan: No, that’s always GMT.

Reply

Wayne December 3, 2010 at 12:35 pm

Curious if you have to stop/pause any services, such as transport, when changing the log directory.

Reply

Sebastian Haensch December 20, 2010 at 12:38 am

No idea why logging in Exchange is still like 1999… maybe they think it’s to much of a performance impact.

Thank you for this blog!

Reply

abdullah February 17, 2014 at 1:37 am

how can i get some statistics on smtp relay

Reply

Mark Orser July 19, 2015 at 10:01 am

Hello,
Is SMTP AUTH logged when smtp is set to verbose? At least will I see the username used to authenticate?
Thanks

Reply

Claudio Mendes September 21, 2016 at 6:56 am

nice post

should be updated to reflect exchange 2013/2016

Reply

Bharat Suneja September 21, 2016 at 8:05 pm

Thanks for the feedback. Yes, an updated version for Exchange 2013/2016 would be great – although the official documentation on TechNet has improved quite a bit for these versions. :)

See Protocol logging in Exchange 2013 documentation.

Reply

Leave a Comment

{ 4 trackbacks }

Previous post:

Next post: