Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2099
Views
0
Helpful
6
Replies

ESA Content filters combination

Go to solution
Roger Base
Level 1
Level 1

‎09-21-2016 05:58 AM

I have 5 content filters on my ESA appliance. All of them work well if there is only one recipient in the email. The difference between my rule number 4 and 5 are that I am checking "rcpt-to-dictionary-match" domains on my rule 4.

The problem is when user sends email to many different email address/domains. The ESA are then only looking for the first rcpt and not for individual rcpt s. So If the first recipient in mail matches my rule number 4 then all other rcpts will also be matches same policy. Is there any way to get the ESA to handle all the rcpts individually ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Roger Base

‎09-21-2016 11:03 AM

Hi Roger,

That is correct, the content filters would be executed based on first match. However, it would continue to be scanned by the other content filters as long as a final action is not defined. skip-filters() would be a final action for content filters.

If an email is sent to recipients @gmail.com, @xv.com and @xy.com

Policy 1
Sender Any
Recipient @xv.com,@xy.com

Default policy
Sender Any
Recipient Any

The original email would be split into two, first with @xv.com and @xy.com and the second for gmail.com

This is what the tracking and logs would look like

Wed Sep 21 12:19:48 2016 Info: MID 151 ICID 148 From: <unknown@unknown.com>
Wed Sep 21 12:19:48 2016 Info: MID 151 ICID 148 RID 0 To: <test@xv.com>
Wed Sep 21 12:19:49 2016 Info: MID 151 ICID 148 RID 1 To: <test@gmail.com>
Wed Sep 21 12:19:49 2016 Info: MID 151 ICID 148 RID 2 To: <test@xy.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 Subject 'Test'
Wed Sep 21 12:19:50 2016 Info: MID 151 ready 284 bytes from <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 was split creating MID 152 due to a per-recipient policy Policy 1 in the outbound table
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 From: <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 RID 0 To: <test@xv.com>
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 RID 1 To: <test@xy.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 was split creating MID 153 due to a per-recipient policy DEFAULT in the outbound table
Wed Sep 21 12:19:50 2016 Info: MID 153 ICID 0 From: <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 153 ICID 0 RID 0 To: <test@gmail.com>

For the scenario described by you a new mail policy would need to be created with recipients mentioned in the dictionary with filter to check for the header and log entry.

The default policy would match the other recipients and check the header as required.

Hope this information helps.

Thanks
Libin

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎09-21-2016 06:26 AM

Hi Roger,

An email (MID) would be processed as a whole by the matched content filter even if there are multiple recipients which do not match the filter condition.

The only way to work around this is using message splintering which is accomplished by using a separate mail policy.

For instance
Mail Policy 1: rcpt-to : gmail.com
Content Filter 1

Default Mail Policy: Any
Content Filter 2

Now an email with 2 recipients domain.com (would match default mail policy) and gmail.com (would match Mail Policy 1) would be split by the two mail policies and each content filter enabled on that mail policy would work.

Below KB for your reference


http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118488-technote-esa-00.html

Thanks
Libin

0 Helpful

Go to solution
Roger Base
Level 1
Level 1
In response to Libin Varghese

‎09-21-2016 10:33 AM

Hi Libin,

Will that mean that I will need to create 10 outgoing mail policy if I have 10 specific domains in rcpt-dictonary for policy 4. What will then happen if user sends same email to @gmail.com and @xv.com and @xy.com? ( and if I have outgoing mail policy for xy and xv domains? )

Here is my example of my Content filter 4 & 5. I am matching for the same header on both. in Policy4 I am also match for rcpt-to-dictinary-match for specific domain list.

Usecase:

So if the user sends a email to rcpt that are in my dictionary list it matches policy4. But if the person sends email to several rcpts. The ESA only consider the first rcpt in the email. There it will never match policy5 if the header is the same.

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Roger Base

‎09-21-2016 11:03 AM

Hi Roger,

That is correct, the content filters would be executed based on first match. However, it would continue to be scanned by the other content filters as long as a final action is not defined. skip-filters() would be a final action for content filters.

If an email is sent to recipients @gmail.com, @xv.com and @xy.com

Policy 1
Sender Any
Recipient @xv.com,@xy.com

Default policy
Sender Any
Recipient Any

The original email would be split into two, first with @xv.com and @xy.com and the second for gmail.com

This is what the tracking and logs would look like

Wed Sep 21 12:19:48 2016 Info: MID 151 ICID 148 From: <unknown@unknown.com>
Wed Sep 21 12:19:48 2016 Info: MID 151 ICID 148 RID 0 To: <test@xv.com>
Wed Sep 21 12:19:49 2016 Info: MID 151 ICID 148 RID 1 To: <test@gmail.com>
Wed Sep 21 12:19:49 2016 Info: MID 151 ICID 148 RID 2 To: <test@xy.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 Subject 'Test'
Wed Sep 21 12:19:50 2016 Info: MID 151 ready 284 bytes from <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 was split creating MID 152 due to a per-recipient policy Policy 1 in the outbound table
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 From: <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 RID 0 To: <test@xv.com>
Wed Sep 21 12:19:50 2016 Info: MID 152 ICID 0 RID 1 To: <test@xy.com>
Wed Sep 21 12:19:50 2016 Info: MID 151 was split creating MID 153 due to a per-recipient policy DEFAULT in the outbound table
Wed Sep 21 12:19:50 2016 Info: MID 153 ICID 0 From: <unknown@unknown.com>
Wed Sep 21 12:19:50 2016 Info: MID 153 ICID 0 RID 0 To: <test@gmail.com>

For the scenario described by you a new mail policy would need to be created with recipients mentioned in the dictionary with filter to check for the header and log entry.

The default policy would match the other recipients and check the header as required.

Hope this information helps.

Thanks
Libin

0 Helpful

Go to solution
Roger Base
Level 1
Level 1
In response to Libin Varghese

‎09-21-2016 11:17 AM

Thanks for quick reply Libin!

So I have created new Outgoing Mail Policy with 10 domains in it as recipients. I still have my Default Policy below which should work as "catch all" . And I have added Policy4 to my new Outgoing Mail Policy (and not for the default Policy). and Now I need to test it: I hope this solve my problem. I will update the case tomorrow.

0 Helpful

Go to solution
Roger Base
Level 1
Level 1

‎09-22-2016 12:15 PM

It works :)

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Roger Base

‎09-22-2016 12:21 PM

Glad to hear. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents