This article is a guest post by Sebastian Danisch. Many thanks to Sebastian for this article and the solution.
Guest article by Sebastian Danisch
A colleague of mine recently had the glorious idea of using Sophos UTM to modify the email header so that it removes the content ID from the header. His ulterior motive was to disguise the internal systems. What he hadn't considered was that this modification applies to all emails that pass through the UTM without exception, including incoming emails.
After some colleagues had wondered why no e-mails had been received for several hours, I took a closer look. The UTM had dutifully forwarded all emails to the Exchange servers. However, the mailboxes were of course unaware of this.
When I looked in the queue, I noticed a new entry. The Poison Queue:
Searches on the Internet on the subject yielded little or no information. Only that Exchange holds back these mails because, in its opinion, they can cause damage to the server.
Now there is no way to get Exchange to please deliver these e-mails, i.e. to delete them from quarantine, so to speak.
In order to save the emails, we must first remove them from the queue and export them. For this we use the Outlook readable .eml format. The following is entered into the Exchange Management Shell:
Get-Message -Queue %SERVERNAME%\Poison -ResultSize Unlimited | ForEach-Object {$Temp="C:\PFAD_ZUR_WIEDERHERSTELLUNG\"+$_.InternetMessageID+".eml"; $Temp=$Temp.Replace("","_"); Export-Message $_.Identity | AssembleMessage -Path $Temp}
This exports all emails in the poison queue to the previously defined path as .eml files. A file is generated for each email, which has a numerical message ID at the start of the file name.
Exchange has a so-called pickup directory to allow the exported mails to be delivered again. Mails in a format readable by Exchange can simply be dropped in here. The directory can be found here:
- %ExchangeInstallPath%\TransportRoles\Pickup
The exported emails can all be copied in at once. In the best case scenario, they are now distributed to the individual mailboxes one after the other.
Incidentally, the emails are not deleted from the poison queue when they are exported. This can be done via the message flow control.
In our case, there were 3 emails, which also ended up in the poison queue again during pickup. In such a case, however, you can open the emails directly with Outlook and send them to the respective users.
Note from Frank
The Poison Queue has existed since Exchange 2007. Exchange stops emails in this queue if it believes that they could pose a threat to the stability of the systems. In the case described by Sebastian, the email header was modified by an upstream gateway, Exchange then classified the modified emails as a threat and stopped them in the poison queue. Exchange will not attempt to deliver these mails without the intervention of an administrator. Here you can find a short documentation about the Poison Queue:
By exporting the mails from the Poison Queue to EML files, SMTP headers can also be added at a later date. For example, the EML files can be opened with an editor to repair corrupt headers or add missing headers.
The mails in the poison queue can also be redelivered without exporting them to an EML file, but in this case the header cannot be modified, so there is a risk that the mails will end up in the poison queue again. The redelivery attempt without export is described here: