How to count which business systems use SMTP and EWS to send emails through Exchange 2019?

yanhaowen 105 Reputation points

Hi:

How to count which business systems use SMTP and EWS to send emails through Exchange 2019?

thanks

0 comments No comments
Sign in to comment

Answer accepted by question author

Hani-Ng 11,835 Reputation points Microsoft External Staff Moderator

Hi yanhaowen

Based on my research, there are no built-in GUI reports in Microsoft Exchange Server 2019 that directly show which business systems are using SMTP or EWS. The recommended approach is to analyze Exchange transport logs for SMTP activity and IIS/Exchange HTTP proxy logs for EWS activity.

Identify systems using SMTP

SMTP activity can be identified from Message Tracking Logs and, for more detailed connection analysis, SMTP Protocol Logs.

  • Message Tracking Logs: The following PowerShell example checks the last 7 days of SMTP receive events and groups them by client IP address:
$StartDate = (Get-Date).AddDays(-7)
Get-TransportService | ForEach-Object {
 Get-MessageTrackingLog -Server $_.Name `
 -Start $StartDate `
 -EventId RECEIVE `
 -Source SMTP `
 -ResultSize Unlimited
} |
Group-Object ClientIp |
Sort-Object Count -Descending |
Select-Object @{Name="Client IP Address";Expression={$_.Name}},
 @{Name="Total Emails Sent";Expression={$_.Count}} |
Format-Table -AutoSize

This helps identify which systems are submitting the highest volume of SMTP messages. You can then correlate the IP addresses with DNS, CMDB, or network inventory records to determine the associated business applications (ERP systems, scanners, monitoring tools, etc.).

  • SMTP Protocol Logs: Message Tracking Logs only show successfully processed messages. For more complete SMTP connection auditing, including connector usage and authentication details, SMTP Protocol Logging is recommended.

Check whether protocol logging is enabled:

Get-ReceiveConnector | Select Name,ProtocolLoggingLevel

Enable verbose logging if needed:

Set-ReceiveConnector "Connector Name" -ProtocolLoggingLevel Verbose

SMTP protocol logs are stored here:

C:\Program Files\Microsoft\ExchangeServer\V15\TransportRoles\Logs\ProtocolLog\SmtpReceive

These logs provide additional information such as:

  • Remote IP address
  • HELO/EHLO hostname
  • Authenticated account
  • Connector used
  • SMTP session details

Identify systems using EWS

Because EWS operates over HTTPS, its activity is not recorded in transport logs. Instead, you must analyze IIS logs and Exchange HTTP proxy logs.

  • IIS Logs:

IIS logs are typically located here:

C:\inetpub\logs\LogFiles\W3SVC1

Search for:

/EWS/Exchange.asmx

Example PowerShell:

Get-ChildItem "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log" |
Select-String "/EWS/Exchange.asmx" |
ForEach-Object { ($_ -split ' ')[8] } |
Group-Object | Sort-Object Count -Descending
``

This shows which systems (by ser-Agent)

  • Review User-Agent strings:

Many applications identify themselves via the User-Agent field in IIS logs (cs(User-Agent)).

This often reveals the application (e.g. Outlook, BackupExec, Mimecast, EWS clients).

  • Use Exchange HttpProxy EWS logs:

Exchange also logs EWS activity here:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews

Example:

Import-Csv "C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews\*.log" |
Group-Object AuthenticatedUser |
Sort-Object Count -Descending

This method is often simpler and more useful than raw IIS parsing, especially for identifying service accounts.

Not all modern applications use EWS anymore. Depending on your environment, you may also see:

  • Microsoft Graph API
  • SMTP AUTH
  • Direct Send
  • Other REST-based integrations

If your goal is migration or decommissioning (especially from Exchange 2019), you should also review:

  • SMTP AUTH usage
  • OAuth usage
  • Basic authentication dependencies

I hope this information helps and if you have any question, please feel free to ask via comment section!

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  1. yanhaowen 105 Reputation points

    👁 User's image

    This is the IP address of Exchange Server 2019.

  2. Hani-Ng 11,835 Reputation points Microsoft External Staff Moderator

    Please note that our forum is a public platform, and we will modify your screenshot to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data

    Hi yanhaowen

    Please try running a nslookup first to check the DNS resolution. I have also sent you a private message, kindly review it when convenient.

    For your detail information: nslookup | Microsoft Learn

  3. Hani-Ng 11,835 Reputation points Microsoft External Staff Moderator

    Hi yanhaowen

    I just wanted to follow up to see if you have any updates or need any additional information. Please feel free to let me know! 

Sign in to comment

1 additional answer

  1. AI answer

    Exchange 2019 itself does not provide a single built‑in report that lists “which business systems use SMTP vs EWS.” This must be inferred from how applications connect and send mail.

    From the provided context, only EWS behavior and throttling are documented; SMTP reporting is not covered. The following can be done based on the EWS information in the context:

    1. Identify applications using EWS
      • EWS applications access mailboxes by sending SOAP-based XML over HTTP/HTTPS to Exchange, as described in the EWS architecture: applications that “post XML through HTTP” to the EWS endpoint are using EWS.
      • Any application that sends messages using the EWS EmailMessage class (EWS Managed API) or the Message element (raw EWS) is an EWS-based mail sender.
      • In code or configuration reviews of business systems, look for:
        • Use of the EWS Managed API (Microsoft.Exchange.WebServices.Data.EmailMessage, ExchangeService, Send/SendItem operations).
        • Direct SOAP calls to the EWS endpoint (/EWS/Exchange.asmx) using Message elements.
    2. Use EWS throttling behavior as an indicator
      • EWS and other Exchange clients are subject to throttling policies that include:
        • MessageRateLimit: messages per minute per mailbox.
        • RecipientRateLimit: recipients per 24 hours per mailbox.
      • Applications that send large batches of email via EWS may hit these limits, causing messages to remain in Outbox/Drafts longer. If a business system reports such symptoms, it is likely using EWS.
    3. Distinguish SMTP vs EWS at the application level
      • SMTP-based systems will be configured with an SMTP host, port (for example 25 or 587), and optional authentication, and will not reference EWS classes or SOAP endpoints.
      • EWS-based systems will reference EWS endpoints and APIs as described above.
    4. Practical approach to counting systems
      • Inventory application configurations:
        • For each business system, check whether it is configured with an SMTP server/port (SMTP sender) or with EWS endpoint/credentials and EWS APIs (EWS sender).
      • For EWS senders, confirm by checking code or documentation for EmailMessage, ExchangeService, SendItem, or SOAP Message elements.
      • For SMTP senders, confirm by presence of SMTP server settings and absence of EWS usage.

    The context does not provide specific Exchange 2019 logging or reporting commands to enumerate SMTP vs EWS clients automatically, so the above method relies on application configuration and EWS usage patterns.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer