Note This does not comply with Directive 2006/24/EC set by the European Union regarding data retention.
After you apply this update, a new attribute named ProtocolLogonAudit is created for the Exchange organization object. You can use the Set-OrganizationConfig cmdlet to set the value for the ProtocolLogonAudit attribute to True or False. The default setting is False. Therefore, the successful connecting information not to be logged.
Additionally, there is a setting for each Exchange Server 2007 server to override the Exchange organization setting. You can set the value for the ProtocolLogonAudit attribute in the Microsoft.Exchange.Imap4.exe.config file and in the Microsoft.Exchange.Pop3.exe.config file for each Exchange Server 2007 server in the Exchange organization. To log all the connecting information, add the following information in the <appSettings> section in the Microsoft.Exchange.Imap4.exe.config file and in the Microsoft.Exchange.Pop3.exe.config file:
<add key="ProtocolLogonAudit" value="1" />
Note If you set the value to "0" or you do not configure this setting, the Exchange Server 2007 server uses the Exchange organization setting. If you set the value to "2", the auditing is disabled. Then the successful connecting information is not logged.
After you enable the ProtocolLogonAudit attribute, you have to restart the Microsoft Exchange IMAP4 service and the Microsoft Exchange POP3 service for the settings to take effect. Then, If a user accesses a mailbox successfully by using POP3 or by using IMAP4, the following event is logged:
Event Type: Information
Event Source: MSExchangeIMAP4/MSExchangePOP3
Event ID: 2104
User "<user name>" logged into mailbox "<mailbox name>"
RemoteUser: <domain>\<user account>
Mailbox: <mailbox name>
ProtocolServiceName:<IMAP4 or POP3>
TimeStamp: <date, time>
ClientEndpoinr: <IP address:port>