Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to bypass CRES if TLS Required is setup

Does anyone know how to bypass CRES if TLS Required is setup.  We setup a rule:

Condition:   Envelope Recipient  rcpt-to-dictionary-match("TLSRequired_Exception_Domains", 1)

Action:  Final  Encrypt and Deliver Now (Final Action)  encrypt ("CiscoRes", "$Subject", 1)

Part of the option, you can use:  Only use message encryption if TLS fails

The problem with this rule, is the Envelope Recipient says:  "If a message has multiple recipients, only one recipient has to match for the specified action to affect the message to all recipients".

We did not realize that and when two emails from different domains are added, then we have issues.   Ex.  The one with TLS required works great, but if an email is on there that is not TLS required, then they will automatically go CRES. 

BTW:  We need this for Postini users since we are having issues with the CRES encryption.

New Member

How to bypass CRES if TLS Required is setup

Are you using a message filter or a content filter?

New Member

How to bypass CRES if TLS Required is setup

It depends on what you want to do.

If you just want to force TLS for some domains you can put them in destination controls as TLS Required. Then if there is a failure with TLS the message goes back into the queue just like the remote host was down. That does not require a content filter because destination controls happens last.

If you want to use different policies based on recipient domain you need to use message splintering. In order to do message splintering you will need to use a separate outgoing message policy with a list of recipient domains. I don't believe that can use a dictionary. You will need to paste the list of domains in the form "@domain" or use an LDAP query.

Then you can activate content filters on each policy as needed. If the CRES content filter is not active for that policy, CRES will not be used.

CreatePlease to create content