Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

C160 encryption policy and content filter

I have our C160 setup to use the external CRES service.

I have a outgoing Policy #1 (named Cisco-registered-envelope) which applies to a couple of LDAP groups.  There is an associated content policy that has a condition of =="[SEND SECURE]" in the Subject Header, with the end/final action being Encrypt and Deliver Now.

I have a 2nd outgoing Policy which applies to everyone at "ourdomain.org" and has no content policies associated with it( Disabled)

For emails containing the correct "condition", the system correctly encrypts the email.

However, I get random encryption for outgoing emails that don't meet the "encryption" content policy.

When looking at the history details of one of the encrypted messages (that shouldn't have been) it lists:

Message 52241 matched per-recipient policy Cisco-registered-envelope for outbound mail policies

From a user standpoint, both policies include the same sets of users, it's just that the Policy (Cisco-registered-envelope) contains an outgoing content filter (named Email_encryption) with the required condition of =="[SEND SECURE]" in the Subject Header.

I don't understand what is causing the encryption rule to be invoked for emails not containing the =="[SEND SECURE]" in the Subject Header.

Current AsyncOS Version: 7.0.1-010

Thanks in advance for your help.

Kirk...

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: C160 encryption policy and content filter

Kirk,

the problem lies in the subject rule being an regular expression, and the square brakets ( []) are special characters. You'd need to rewrite the condition like this:

"\[SEND SECURE \]"

After submitting, the result should look like this:

subject == "\\[SEND SECURE \\]"

And should work as expected. For an explanation, an expression like [ abcdef... ] will match any single letter within the brakets.

Regards, Andreas

7 REPLIES
Cisco Employee

Re: C160 encryption policy and content filter

Let me see if I have your configuration correct.

You have two outgoing policies:

1.  LDAP-Group-match  (if the sender belongs to this group, then this policy is applied to the emali

2.  Default (catch all)....any sender not in the Group #1, then they will be assigned this Outgoing Mail Policy.

------

1.  LDAP-Group-match.

There is an outgoing content filter that looks for the "flag", "Send Secure", in the subject.  If it's there, then encrypt the message.

If the "flag", is not there, encryption does not occur.

2.  Default (catch-all)

No encryption should occur for emails assigned to this outgoing mail policy since the "outgoing content filters" are disabled.

-------

If the above statements are correct, then I think the messages that are getting encrypted are some how matching outgoing policy #1 and that content filter.

If you can still find the MID output for those "incorrectly" encrypted messages, you should see a place that shows which "outgoing mail policy" was assigned to the message.  If you need assistance on this, please obtain the MID for that message and paste the results in this thread and I'll see if I can help.

Cheers,

Kevin

Community Member

Re: C160 encryption policy and content filter

Make sure your regex is working too. I tried using the [SEND SECURE] string and it sent out all emails encrypted. I'm using SEND-SECURE now and it works great.

Re: C160 encryption policy and content filter

Kirk,

the problem lies in the subject rule being an regular expression, and the square brakets ( []) are special characters. You'd need to rewrite the condition like this:

"\[SEND SECURE \]"

After submitting, the result should look like this:

subject == "\\[SEND SECURE \\]"

And should work as expected. For an explanation, an expression like [ abcdef... ] will match any single letter within the brakets.

Regards, Andreas

Community Member

Re: C160 encryption policy and content filter

Has anyone successfully used the “Sensitivity: Company-Confidential” option by modifying the .xml file?  I have edited per the documentation but when I look at the message headers, I don't see a "Sensitivity" header being added to the message.

Re: C160 encryption policy and content filter

Hello Corey,

the"Company-Confidential" header, as I know, is added by Outlook

http://office.microsoft.com/en-us/outlook/HP052428801033.aspx

You could then create a content filter matching for this header as a condition, and ",Encrypt and Deliver Now" as action. Is it that what you are looking after?

Regards,

Andreas

Community Member

Re: C160 encryption policy and content filter

I believe that is the same header that the documentation was referring to.  Supposedly you

can tweak the Ironport .xml file on the user's PC and Ironport Outlook plugin will mark that header for the end user (rather than prepending SEND SECURE) and the filter on the appliance will encrypt the message.  I tried modifying the xml file but when I view headers on the message but I don't see that it is being modified.  I'm just curious if anybody had gotten it working or if it was buggy.  Thx.

Community Member

Re: C160 encryption policy and content filter

It would also be nice if the Outlook Plug-In checked to see if the string already exists in the e-mail.   We have a lot of e-mail going through with the subject line being [Send Secure] Re: [Send Secure] [Send Secure] Fwd: [Send Secure].   Or something like that.

Long live the Iron Nation!

Jason Meyer

867
Views
0
Helpful
7
Replies
CreatePlease to create content