12-28-2011 03:37 AM
I'm trialling an Ironport C160, and having problems with the content filter. I have an incoming content filter that is set to drop incoming attachments of type jpeg. However, the ironport just lets the attachment past.
The content filter is applied to the default incomping policy. I also tried setting it up as a separate policy with higher priority to default, but the attchment was still allowed through.
If I check the tracking, it says
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: user@domain.com
So it seems that it goes through the policy, but doesn't apply the content filter.
Any idea what I'm doing wrong?
Solved! Go to Solution.
12-28-2011 09:17 AM
I saw that too and hoped that the differences between ours would be significant to you. Sounds like you got it.
Glad to help.
Greg
12-28-2011 04:38 AM
Or should I be using Message Filtering, rather than content filtering to quarantine or drop attachments?
12-28-2011 07:30 AM
Under Mail Policies | Incoming Content Filter add a content filter, then add a condition for your desired file type, then add two conditions. #2 Action is to send you an email (if you wish, that's what I did) informing you of the quarantine, and #1 Action is to quarantine the incoming email.
Then create an Incoming Mail Policy, Call it "JPG Quarantine", and tell it to use the Content Filter you created above.
Caveat: I'm new to this and the above is most likely worth exactly what you paid for it. But, hth anyway.
12-28-2011 07:34 AM
Hi Greg, that's exactly how I configured it.
I also tried adding a message filter from the CLI, same problem.
12-28-2011 07:42 AM
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: recipient@abc.com | |
28 Dec 2011 15:36:17 (GMT) | Protocol SMTP interface Data1 (IP 192.168.1.17) on incoming connection (ICID 239) from sender IP 192.168.1.199. Reverse DNS host None verified no. |
---|---|
28 Dec 2011 15:36:17 (GMT) | (ICID 239) RELAY sender group RELAYLIST match 192.168.1. SBRS rfc1918 |
28 Dec 2011 15:36:17 (GMT) | Start message 271 on incoming connection (ICID 239). |
28 Dec 2011 15:36:17 (GMT) | Message 271 enqueued on incoming connection (ICID 239) from sender@gmail.com. |
28 Dec 2011 15:36:17 (GMT) | Message 271 on incoming connection (ICID 239) added recipient (recipient@abc.com). |
28 Dec 2011 15:36:17 (GMT) | Message 271 contains message ID header '<CAKFcXox=Py78A6q_qRp1DaPOd0yNG7td8QCchLJxZzGo5h_KHg@mail.gmail.com>'. |
28 Dec 2011 15:36:17 (GMT) | Message 271 original subject on injection: JP |
28 Dec 2011 15:36:17 (GMT) | Message 271 (7685 bytes) from sender@gmail.com ready. |
28 Dec 2011 15:36:17 (GMT) | Message 271 matched per-recipient policy DEFAULT for outbound mail policies. |
28 Dec 2011 15:36:17 (GMT) | Message 271 queued for delivery. |
28 Dec 2011 15:36:17 (GMT) | SMTP delivery connection (DCID 254) opened from IronPort interface 192.168.1.17 to IP address 192.168.1.25 on port 25. |
28 Dec 2011 15:36:17 (GMT) | (DCID 254) Delivery started for message 271 to. |
28 Dec 2011 15:36:17 (GMT) | (DCID 254) Delivery details: Message 271 sent to recipient@abc.com |
28 Dec 2011 15:36:17 (GMT) | Message 271 to recipient@abc.com received remote SMTP response '2.6.0 <CAKFcXox=Py78A6q_qRp1DaPOd0yNG7td8QCchLJxZzGo5h_KHg@mail.gmail.com> Queued mail for delivery'. |
12-28-2011 08:29 AM
MAIL POLICY "Greg Test" MATCHED THESE RECIPIENTS: g_hopp@abc.org | |
28 Dec 2011 11:18:16 (GMT -05:00) | Protocol SMTP interface Inbound Mail (IP 10.27.27.10) on incoming connection (ICID 1849114) from sender IP 74.125.82.53. Reverse DNS host mail-ww0-f53.google.com verified yes. |
---|---|
28 Dec 2011 11:18:16 (GMT -05:00) | (ICID 1849114) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 4.4 |
28 Dec 2011 11:18:16 (GMT -05:00) | Start message 178731 on incoming connection (ICID 1849114). |
28 Dec 2011 11:18:16 (GMT -05:00) | Message 178731 enqueued on incoming connection (ICID 1849114) from senderisme@gmail.com. |
28 Dec 2011 11:18:16 (GMT -05:00) | Message 178731 on incoming connection (ICID 1849114) added recipient (g_hopp@abc.org). |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 contains message ID header '<CAC2-sMEro0jn8R0uYGa8kPhDNYmvu2R9feNiJqB2qwCZU0No4g@mail.gmail.com>'. |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 original subject on injection: Test PDF Attachments |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 (138562 bytes) from senderisme@gmail.com ready. |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 matched per-recipient policy Greg Test for inbound mail policies. |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 scanned by Anti-Spam engine: CASE. Interim verdict: Negative |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative. |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 scanned by Anti-Spam engine: CASE. Final verdict: Negative |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 scanned by Anti-Virus engine. Final verdict: Negative |
28 Dec 2011 11:18:18 (GMT -05:00) | Message 178731 quarantined to Policy. Content filter PDFQuarantine. |
12-28-2011 08:57 AM
Thanks Greg, your time is appreciated. I compared your logs to mine, and could see that I had a relay allowed from 192.168.1.x.
The ironport seems to bypass the policy when the relay is allowed.
I removed it completely, and the attachment was blocked as expected:
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: recipient@abc.com | |
28 Dec 2011 16:52:12 (GMT) | Protocol SMTP interface Data1 (IP 192.168.1.17) on incoming connection (ICID 249) from sender IP 192.168.1.199. Reverse DNS host None verified no. |
28 Dec 2011 16:52:12 (GMT) | (ICID 249) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS rfc1918 |
28 Dec 2011 16:52:12 (GMT) | Start message 281 on incoming connection (ICID 249). |
28 Dec 2011 16:52:12 (GMT) | Message 281 enqueued on incoming connection (ICID 249) from sender@gmail.com. |
28 Dec 2011 16:52:12 (GMT) | Message 281 on incoming connection (ICID 249) added recipient (recipient@abc.com). |
28 Dec 2011 16:52:12 (GMT) | Message 281 contains message ID header '<CAKFcXoyJuHN5C9AoX51v0RxTnP=Gar65W1gjdEv+UfL-GjUdWg@mail.gmail.com>'. |
28 Dec 2011 16:52:12 (GMT) | Message 281 original subject on injection: t |
28 Dec 2011 16:52:12 (GMT) | Message 281 (63617 bytes) from sender@gmail.com ready. |
28 Dec 2011 16:52:12 (GMT) | Message 281 matched per-recipient policy DEFAULT for inbound mail policies. |
28 Dec 2011 16:52:13 (GMT) | Message 281 scanned by Anti-Spam engine: CASE. Interim verdict: Negative |
28 Dec 2011 16:52:13 (GMT) | Message 281 scanned by Anti-Spam engine: CASE. Final verdict: Negative |
28 Dec 2011 16:52:13 (GMT) | Message 281 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN |
28 Dec 2011 16:52:13 (GMT) | Message 281 scanned by Anti-Virus engine. Final verdict: Negative |
28 Dec 2011 16:52:13 (GMT) | Message 281 quarantined to FilterDebug. Content filter Doc. |
12-28-2011 09:17 AM
I saw that too and hoped that the differences between ours would be significant to you. Sounds like you got it.
Glad to help.
Greg
12-28-2011 08:41 PM
Dear Graham,
Please note that emails received from RELAYLIST sender group, sender group with RELAYED mail flow policy or mail flow policy with 'Relay' connection behavior, or connection with SMTP AUTH are all considered as outgoing emails. You need to add a new outgoing content filter if you want to block any JPG file attachment sending out from your company.
Please note that there are two content filters (attachment filename and attachment filetype). For attachment filetype, it is based on binary fingerprint of the attachment and can catch renamed file extension (e.g. JPEG file renamed with file extension .DOC).
Cheers,
Tommy
12-29-2011 03:11 AM
Thanks for clarification Tommy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: