I am running Exchange 2010 on-prem with a 2013 Hybrid (including a 2013 Edge Transport server for message handling between on-prem and the o365 tenant) connecting to an o365 tenant. I use EMC's SourceOne for archiving running on-prem. The o365 tenant points to a mailbox on my on-prem Journaling server.

What I am seeing is that when o365 forwards emails as attachments from the cloud back to the on-prem Journaling server it is examining the subject line of the message and making a decision to strip the attachment based upon the very end of the subject line.

Example: A simple text message with a subject line of: "Check out the new web site at www.xyz.com"

The Edge transport server is seeing this as being a ".com" attachment and stripping it off before it gets to the Journaling server. So it does not appear to be looking inside the message to see what it actually is and figure out that it is not a ".com" file but a simple text message.

I have seen this with other file extension types as well. Such as ".exe" . It is also stripping off ".zip" attachments as well, but I understand that and not sure how to deal with it.

Has anyone else experienced this and how have you dealt with it? Microsoft wants me to take the Edge out of play and go directly to from the cloud to an on-prem Exchange server. But that is not an option as the on-prem servers are not exposed to the internet.

Thanks, Bob

 

Just for testing can you disable only IMF on edge antispam settings and see the results 

On the Edge server there are a couple of transport agents that are responsible for filtering. You can go a Get-TransportAgent to see a list of them, and then - just as Sathish recommended - toggle them off for a short period of time. This would clearly indicate if it's the Edge doing the modification or some other component/machine.

Also, can you run a Get-TransportRule against your Edge server ? Transport rules aren't replicated from the Mailbox servers (ex-Hub Transport servers in Exchange 2010) but instead are unique to each Edge box. This link goes into more detail, and even though it's for Exchange 2010, it should still apply to 2013.

• Proposed as answer by Allen_WangJF Wednesday, March 11, 2015 1:28 AM

On the Edge server there are a couple of transport agents that are responsible for filtering. You can go a Get-TransportAgent to see a list of them, and then - just as Sathish recommended - toggle them off for a short period of time. This would clearly indicate if it's the Edge doing the modification or some other component/machine.

Also, can you run a Get-TransportRule against your Edge server ? Transport rules aren't replicated from the Mailbox servers (ex-Hub Transport servers in Exchange 2010) but instead are unique to each Edge box. This link goes into more detail, and even though it's for Exchange 2010, it should still apply to 2013.

• Proposed as answer by Allen_WangJF Wednesday, March 11, 2015 1:28 AM

On the Edge server there are a couple of transport agents that are responsible for filtering. You can go a Get-TransportAgent to see a list of them, and then - just as Sathish recommended - toggle them off for a short period of time. This would clearly indicate if it's the Edge doing the modification or some other component/machine.

Also, can you run a Get-TransportRule against your Edge server ? Transport rules aren't replicated from the Mailbox servers (ex-Hub Transport servers in Exchange 2010) but instead are unique to each Edge box. This link goes into more detail, and even though it's for Exchange 2010, it should still apply to 2013.

• Proposed as answer by Allen_WangJF Wednesday, March 11, 2015 1:28 AM

On the Edge server there are a couple of transport agents that are responsible for filtering. You can go a Get-TransportAgent to see a list of them, and then - just as Sathish recommended - toggle them off for a short period of time. This would clearly indicate if it's the Edge doing the modification or some other component/machine.

Also, can you run a Get-TransportRule against your Edge server ? Transport rules aren't replicated from the Mailbox servers (ex-Hub Transport servers in Exchange 2010) but instead are unique to each Edge box. This link goes into more detail, and even though it's for Exchange 2010, it should still apply to 2013.

• Proposed as answer by Allen_WangJF Wednesday, March 11, 2015 1:28 AM

Thanks for the replies folks. In working with Microsoft I decided to turn off attachment filtering altogether on the Edge server. Since there is EOP in the cloud and McAfee SaaS in front of the on-prem systems it seems safe enough to just not have the Edge do attachment filtering.

Thanks for the replies folks. In working with Microsoft I decided to turn off attachment filtering altogether on the Edge server. Since there is EOP in the cloud and McAfee SaaS in front of the on-prem systems it seems safe enough to just not have the Edge do attachment filtering.

• Proposed as answer by Allen_WangJF 6 hours 1 minutes ago

Hi BobSwe,

Thank you for your response.
If you have resolved this question, please mark useful replies as answer.

Thanks,