Friday, 27 March 2015

Understanding IMCEA and IMCEAEX Encapsulation

When sending an email initially Outlook will lookup the sender and recipient against the global address list (GAL.) If the recipient can't be found it is encapsulated with IMCEA (Internet Mail Connector Encapsulated Addressing) like follows:

IMCEAEX-_O=CONTOSO_OU=First+20Administrative+20Group_cn=Recipients_cn=user@domain.com

The domain (domain.com) taken from the GAL object unless the lookup failed; in that case the forest DN is used.

If you see IMCEAEX (with the addition of EX appended) it means that the address that is encapsulated is not an SMTP address.

You can search for IMCEAEX events in the mail flow logs with powershell:
Get-TransportService | Get-MessageTrackinglog -EventID FAIL -Start (Get-Date).AddDays(-5) -ResultSize Unlimited | Where {$_.Recipients -match "^IMCEAEX*"} | FL

You can decapsulate the addresses by doing the following:

We can convert the unicode characters in the string to human readable format - so for example to extract the address from the following string:

{IMCEAEX-_o=org_ou=Exchange+20Administrative+20Group_cn=Recipients_cn=Joe+20Bloggs@domain.com}{[{LRT=};{LED=550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found};{FQDN=};{IP=}]}

will be converted to identify all of the unicode characters
We append U+00 to +20, so it becomes U+0020 (which is a space)
and so on...

o=org_ou=Exchange Administrative Group_cn=Recipients_cn=Joe [email protected]

There is also a very good MSDN article here (https://msdn.microsoft.com/en-us/library/gg709715%28v=exchg.80%29.aspx) that explains this process in more detail.

0 comments:

Post a Comment