cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
0
Helpful
3
Replies

Whitelist not working on c160

keithsauer507
Level 5
Level 5

We have a policy to block spoofed e-mail based on DKIM.  Any message with our domain that originates outside of our network will not be DKIM signed, and therefore goes into the quarantine 'policy'.

Our website however is hosted off site and we have a form that people can fill out to request information on products.  This runs PHP code that emails an address internally to us, but it's coming from the off site location.  Since it originates elsewhere, but the email has our @domainname in the from field, it is not DKIM signed so it goes into quarantine.

I found a whitelist option in the IronPort C160 and I put the IP address of the colocated webserver sending this message, but it still forwards these messages into 'policy'.

Any idea how to properly implement a whitelist from a known IP address?  I don't want to whitelist the address itself (admin@domainname.com), because any script kiddie could spoof it and try to craft a social engineering attack via e-mail.

Thanks!

3 Replies 3

Tze Tai Mak
Level 1
Level 1

The WHITELIST sender group under host access table (HAT) allows administrator to add sending IP or hostname into the list such that the emails from those hosts will follow TRUSTED mail flow policy (i.e. default settings are bigger mail flow and no antispam scanning, those settings can be changed according to your need).

For your DKIM incoming content filter, you can add one more condition (AND operation) to check that the emails are not sent from your hosted server IP.

i.e. remote-ip != '202.1.2.3'

Ok, well the content filter rules can only apply rules based on "Only if all condtions match", or "If one or more conditions match".  You can't mix and match things in the same filter, oddly like IF this AND this AND this OR if this, then send to Quarantine.

So we changed the domain name the hosted webserver is emailing from.  Instead of @ourdomain.com it's now something fictitious.  The department getting these inquirys never reply directly to these messages.  They are built from an online form, and the person filling out the form on the website enteres their name and phone number in fields to be contacted.

I just noticed you can add additional incoming mail policies besides the one it came with.

We have "Default Policy" which does all of the scanning of e-mail.  Would it be possible to create a new Incoming Mail Policy and add a "whitlisted" e-mail address as the Sender, and not apply any of the DKIM/spoofing checks?  Or would Default Policy trump all?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: