Solved: allow email to specific users

dkosekrti · ‎04-03-2012

Is it possible to allow email to specific email address from a domain that is blocked?

For example, I have been asked by the CEO to block linkedin.com and only provide access for a few select users. Now those users want to receive email from linkedin.com but I have it blocked by domain name in the ESA.

Andreas Mueller · ‎04-04-2012

Hello David (both),

the given message filter certainly works, but has a problem when a message has multiple recipients, depending on the filter the message either drops or gets delivered to all recipients, eligible or not. So a better solution would be something with a mail policy for users allowed to receive linkedin.com messages, and a content filter dropping these messages for anybody else.

Step 1: Create a new incoming mail policy, and add all users or LDAP groups allowed to receive mail from linkedin.com. Activate antispam, antivirus, and any content filters you want to have in that policy as well.

Step 2: Create a new incoming content filter, with a condition mail-from == ^@linkedin.com$, and an action drop(), or quarantine(Policy). Add this content filter to all incoming mail policies exept(!) the one created in step 1.

Commit your changes.

Hope it's clear what happenshere, by using mail policies I ensure that mail splintering is used if a message comes in for multiple recipients, and only the ones getting dropped that are not allowed to receive mail from linkedin.com.

Hope that helps,

Andreas

View solution in original post

David Owens · ‎04-03-2012

David,

How are you blocking the linkedin.com domain? Are you using the HAT, Content Filter, Message Filter, Policy? Depending on how you are blocking the domain may give you options. Thanks

dkosekrti · ‎04-03-2012

David,

I am using HAT's BLACKLIST to block the domain: .linkedin.com

David Owens · ‎04-03-2012

Unfortunately you are being asked to do a management/administrative never ending task...

The HAT will make it more difficult, I will leave that option to the Cisco experts to discuss.

Have you considered using a message filter? This could be an option if the list accepted members is very limited or could be placed in a group context. Chapter 5 in the Advanced Configuration guide would be a good reference for the actual syntax you would need in your environment.

Message Filter option would be something like:

Condition(s):

if (recv-listener == "InboundMail")

and

mail-from == ^@linkedin.com$

and

rcpt-to != ^user1@principal.com |user1@principal.com$ or an option like: rcpt-to-group == "Linkedin"

Action:

drop() or quarantine ("Policy") depending on your preferred action

Something similar could be accomplished using content filters added to inbound policies as the message filter, just depends how far down the pipeline you want the message to travel.

dkosekrti · ‎04-03-2012

David,

Thanks for your suggestion! I will give it a try and get back to this as soon as I can!

Andreas Mueller · ‎04-04-2012

Hello David (both),

the given message filter certainly works, but has a problem when a message has multiple recipients, depending on the filter the message either drops or gets delivered to all recipients, eligible or not. So a better solution would be something with a mail policy for users allowed to receive linkedin.com messages, and a content filter dropping these messages for anybody else.

Step 1: Create a new incoming mail policy, and add all users or LDAP groups allowed to receive mail from linkedin.com. Activate antispam, antivirus, and any content filters you want to have in that policy as well.

Step 2: Create a new incoming content filter, with a condition mail-from == ^@linkedin.com$, and an action drop(), or quarantine(Policy). Add this content filter to all incoming mail policies exept(!) the one created in step 1.

Commit your changes.

Hope it's clear what happenshere, by using mail policies I ensure that mail splintering is used if a message comes in for multiple recipients, and only the ones getting dropped that are not allowed to receive mail from linkedin.com.

Hope that helps,

Andreas

David Owens · ‎04-04-2012

Andreas,

Great catch, I overlooked the multiple recipient issue. Your solution would resolve that issue and work for Mr. Kosek. My only comment is that I hate admisinstering a policy for such a limited purpose, of course that same statement applies to message and content filters.

dkosekrti · ‎04-04-2012

Andreas and David,

Great suggestions!

I tried to use the LDAP group but for some reason it wouldn't work. I tried both dist and security groups but it didn't matter. I ended up using a dictionary with the use names in it... i.e.: dkosek

I would rather use an LDAP group so that non-ironport admins can add or remove users as needed. Any suggestions would be appreciated.

Thanks!

bnklein · ‎04-04-2012

David,

I also struggled with LDAP groups until I found out you need to use the LDAP fully distinguished name instead of the "simple name" used as examples in our Ironport documentation.

eg. Instead of "authorized-LinkedIn-recipients" you need to use "CN=authorized-LinkedIn-recipients,OU=groups,DC=yourcompany,DC=com". Of course your CN, OU and DC values are specific to your own LDAP / AD organization and schema.