Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Global whitelisting

Hello everyone,

I'm currently working on whitelisting senders (per sender domain and per sender address) for all recipients and I came accross a bit of confussion.

The idea is to allow e-mails from whitelisted senders bypass IronPort - including bypassing SBRS, virus check, spam check, outbreak etc. However, I'm unable to find some quite easy solution for that. So far my current idea for that is to create a new Mail Flow Policy with all checks disabled and action accept and then create a new sender group with all whitelist addresses I need. However, this won't allow me to whitelist a single e-mail address...

My question is whether the abovementioned solution is correct and would allow me to bypass all checks and security issues on IronPort? If not, could you provide some other one?

Thanks a lot


Global whitelisting


After creating incoming mail policy as you described, click on the policy name. There you can add sender or recipient as or

Global whitelisting

Hi there,

the usual approach to this isindeed to create a new inbound mail  policy, add all the sender addresses, and disable/enable any services in  there as you require. 

The reason why you cannot  do  that (add email adresses) on sendergroups is the way the HAT works -   right at the beginning of the SMTP conversation, before any data is  send.  At this point the system only knows the sender's IP address, and  it's hostname if the reverse lockup completes succesfully. The decision  which sendergroup is getting used will be based on this information  only, also because it is more reliable.  Keep in mind that any email  address can be faked, so allowing the Withelist to accept email  addresses as well would mean you'd get more spam in your system, that  not even gets scanned - as the TRUSTED mail flow policy the WHITELIST  usually uses has antispam scanning disabled.

Hope that helps,


CreatePlease to create content