[KB3761] ESET Mail Security for Microsoft Exchange Server mailbox count

Issue

Solution

ESET Mail Security for Microsoft Exchange Server (EMSX) checks the entire Active Directory of the host Exchange server to determine your total mailbox count. The Monitoring window in ESMX displays two types of mailbox counts: domain and local.

  • The domain mailbox count reflects the count of all mailboxes in a specific domain to which the Exchange server (on which EMSX is installed) belongs.
  • The local mailbox count reflects the count of mailboxes for the Exchange server where EMSX is installed.

    Figure 1-1

Resource mailboxes (for example, a conference room mailbox), email aliases, system mailboxes (used only for internal purposes of Microsoft Exchange Server), and disabled mailboxes are not included in the mailbox count. In a clustered environment, nodes with the clustered mailbox role are not included in the mailbox count. General mailboxes such as "info@", "support@", or "mail@" are counted if they are related to existing physical mailboxes.

A mailbox is not counted if the address is an alias of another mailbox.


Example scenarios for counting domain and local mailboxes

Example 1

In this example, the abcd.com domain consists of five Exchange Servers (ES):

Figure 1-2
  • If EMSX was installed on the Exchange Server in the HUB role, we would see the following mailbox count in the backend of EMSX:

    • domain: 410 (250 + 50 + 50 + 60)
    • local: 0

  • If EMSX was installed on the Exchange Server (2) in the MAILBOX role, we would see the following mailbox count in the backend of EMSX:

    • domain: 410 (250 + 50 + 50 + 60)
    • local: 250

The active mailbox quantity reported for the license used for the EMSX installations would be 410.

Example 2

In this example, we have two domains – abcd.com and efgh.com – within an active directory. There is a trust relationship between those domains, and the EMSX license is being used in both domains.

Figure 1-3

  • The number of domain mailboxes in domain abcd.com is 410; it is 150 in domain efgh.

  • If EMSX was installed in domain abdc.com on an Exchange Server (2) occupying the MAILBOX role, we would see the following mailbox count in the backend of EMSX:

    • domain: 560 (410 + 150)
    • local: 250

  • If EMSX was installed in domain efgh.com on an Exchange Server (3) occupying the MAILBOX role, we would see the following mailbox count in the backend of EMSX:

    • domain: 560 (410 + 150)
    • local: 40

The active mailbox quantity reported for the license used for the EMSX installations would be 560.

Updates to mailbox counts

The count of the domain and local mailboxes displayed in ESET Mail Security is updated approximately every 15-30 minutes.

The active mailbox quantity is reported to ESET Business Account or ESET PROTECT Hub every 24 hours, or whenever the ekrn service is started again in cases where a restart of the exchange server (on which EMSX is installed) is performed.


Determine the amount of Exchange-enabled mailboxes

To determine how many Exchange-enabled mailboxes you have, you can use the EMSX Mailbox Count tool or the Active Directory custom search.

EMSX Mailbox Count tool

Download the EMSX Mailbox Count tool and run it through the command line (type or copy/paste in the command EMSX_VerifyMailboxCount.exe from the directory where you saved the tool) using one of the following parameters:

/count - displays the number of mailboxes
/names - displays the names of the users
/details - displays a detailed description of each mailbox
/multiline - (together with /details parameter) displays the multiline detailed description

Figure 2-1
Active Directory custom search

To determine the number of mailboxes using the Active Directory custom search, open Active Directory users and computers on the server. Right-click the domain and select Find from the context menu. In the Find drop-down menu, select Custom search and then click the Advanced tab. Paste in the following Lightweight Directory Access Protocol (LDAP) query and click Find Now (for Exchange 2013, the health mailboxes are not tallied in the count):

  • (&(objectClass=user)(objectCategory=person)(mailNickname=*)(|(homeMDB=*)(msExchHomeServerName=*))(!(name=SystemMailbox{*))(!(name=CAS_{*))(!(name=HealthMailbox*))(msExchUserAccountControl=0)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Figure 2-2

Why are my resource mailboxes tallied in the Active Directory mailbox count and what can I do about it?

The license verification mechanism in EMSX retrieves the number of mailboxes from Active Directory and counts all physical mailboxes for Active Directory accounts. If an account with a physical mailbox exists within Active Directory but is disabled, it is not included in the count. If you have resource mailboxes such as a Room mailbox or Equipment mailbox that are not actually being used, but accounts for these are enabled, they will be counted.

Based on the general settings recommendations for managing resource mailboxes, these mailboxes should be configured as follows:

  • Room mailbox: This is a mailbox to be assigned specifically to Meeting Rooms; its associated user account will be disabled in Active Directory.
  • Equipment mailbox: This is a mailbox specific to equipment, (for example, televisions, projectors, etc.). As with a Resource mailbox, this kind of mailbox will create a disabled user in Active Directory.

The EMSX algorithm does not count mailboxes with disabled accounts.

If the Administrator account is enabled and can receive email messages assigned to the account, it could potentially be compromised by malware or an infected email. For this reason, EMSX is designed to protect such mailboxes. If this mailbox is not being used, it could be disabled, and not counted.

ESET license verification is built only to check valid mailboxes for which antivirus and antispyware solutions should be applied.