Summary

Send-Again.ps1 is a PowerShell script that uses EWS (requires the EWS Managed API) to process messages for resending (e.g. Journal NDR messages can have the original journal message extracted so that it can be resent).

While the script exposes OAuth parameters and can work against an Exchange Online mailbox, it is not supported to host journal mailboxes in Exchange Online, so this script has not been tested there. It has only been tested against journal messages in an on-premises system (journaled from an Exchange Online mailbox).

Examples

Extract the journal messages from a Journal NDR mailbox and save them to a folder

$ndrcred = Get-Credential
.\Send-Again.ps1 -Mailbox "[email protected]" -EwsUrl "https://mail.darkbytes.co.uk/EWS/Exchange.asmx" -Credential $ndrcred -SaveToPickupFolder "c:\temp\pickup"

In this example, we are saving the .eml journal messages in a local folder (rather than direct to the pickup folder). They can then be moved to the Exchange Pickup folder for reprocessing (which should attempt to send them to the original Journal mailbox).

Parameters

-Mailbox: Specifies the source mailbox (from which items will be moved/copied).

-FolderPath: Folder to search for NDRs - if omitted, the Inbox folder is assumed.

-SaveToPickupFolder: If set, messages will be saved to this folder instead of sent from the mailbox. You can specify multiple Pickup folders using an array, and a round robin process will be followed.

-FailPickupFolder: If set, any messages that can't be saved to Pickup folder will instead be saved to this folder (for debugging purposes).

-ReturnPath: If set, this return-path will be stamped on resent messages.

-SendUsingSMTP: NOT IMPLEMENTED.

-SMTPServerList: NOT IMPLEMENTED.

-WriteDirectlyToRecipientMailbox: NOT TESTED. If set, messages will be written directly into the recipients' mailbox(es). Requires the authenticating account to have ApplicationImpersonation rights on those mailboxes.

-MoveProcessedItemsToFolder: Folder to move processed items into.

-MoveFailedItemsToFolder: Folder to move failed items into (those we attempted to process but were unable to).

-MoveEncryptedItemsToFolder: Folder to move encrypted items into (we won't attempt to process them).

-RemoveEncryptedAttachments: If set, any items that are encrypted will have the encrypted content removed.

-IgnoreIdsLog: If an item is processed, but couldn't be moved, then the Id will be added to this file so that it can be ignored on future runs.

-AddAllItemsToIgnoreLog: If set, all items processed (or failed to process) will be logged to the ignore file (recommended if messages are not being moved once processed).

-BatchSize: Batch size for processing NDRs (the number of items queried from the Inbox at one time).

-FilterNDRsClientside: If specified, checks for the messageclass are done clientside so that no search is required on the server.

-MaxItemsToProcess: If specified, only this number of items will be processed (script will stop when this number is reached).

-MaxMessageSize: If specified, any messages larger than this will be failed (without being sent).

-OnlyResendTo: If specified, message will only be resent to the provided recipient(s).

-AddResendTo: If specified, specified recipient(s) will be added to the message.

-DefaultFromAddress: If specified, any messages found that have a blank From: header will have this address applied as the sender.

-ConfirmResendAddress: If specified, message will only be resent if the recipient specified in OnlyResendTo parameter was an original recipient of the email. If this isn't specified, then all messages will be resent.

-SearchSentItems: If original message not included as attachment, attempt to find it in Sent Items.

-StatsCSV: Output statistics to the specified CSV file.

-Credential: Credentials used to authenticate with EWS (provided as PSCredential).

-OAuth: when specified, will use OAuth to access the mailbox (required for MFA enabled accounts) - this requires the ADAL dlls to be available.

-OAuthClientId: The application Id as registered in Azure AD. If not specified, a global registration will be used that supports delegated access only (and will need consent to be able to access mailboxes).

-OAuthTenantId: The tenant Id in which the application is registered. If missing, application is assumed to be multi-tenant and the common log-in URL will be used.

-OAuthRedirectUri: The redirect Uri of the Azure registered application (defaults to http://localhost/code).

-OAuthSecretKey: Secret key to be used when obtaining access token. If this is specified, then application permissions are requested and no user log-on will be required.

-OAuthCertificate: The OAuth certificate to be used when obtaining access token. Application permissions are requested in this scenario. You can obtain a certificate from your own certificate store using the thumbprint: Get-Item Cert:\CurrentUser\My\50B510B4AE120D9B0EE3F059B6DD494469CD6D3B.

-GlobalTokenStorage: If set, OAuth tokens will be stored in global variables for access in other scripts/console. These global variable will be checked by later scripts using delegate auth to prevent additional log-in prompts.

-Impersonate: If set, ApplicationImpersonation is used to access the mailbox(es).

-EwsUrl: EWS Url (if omitted, and -Office365 not specified, then autodiscover is used).

-Office365: If set, requests are directed to Office 365 endpoint (overrides -EwsUrl).

-ForceTLS12: If specified, only TLS 1.2 connections will be negotiated.

-EWSManagedApiPath: Path to managed API (if omitted, a search of standard paths is performed).

-IgnoreSSLCertificate: If set, invalid SSL certificates will be ignored and the connection made regardless. Use with care, required for self-signed certificates.

-AllowInsecureRedirection: If set, insecure redirection will be allowed during AutoDiscover.

-LogFile: Logs script activity to the specified file.

-TraceFile: Write all EWS traffic (requests/responses/headers) to the specified file.

-WhatIf: If set, no changes will be made to the target mailbox (but actions that would be taken will be logged).