cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

2575
Views
0
Helpful
8
Replies
dkosekrti
Beginner

allow email to specific users

Is it possible to allow email to specific email address from a domain that is blocked?

For example, I have been asked by the CEO to block linkedin.com and only provide access for a few select users. Now those users want to receive email from linkedin.com but I have it blocked by domain name in the ESA.

1 ACCEPTED SOLUTION

Accepted Solutions

Hello David (both),

the given message filter certainly works, but has a problem when a message has multiple recipients, depending on the filter the message either drops or gets delivered to all recipients, eligible or not. So a better solution would be something with a mail policy for users allowed to receive linkedin.com messages, and a content filter dropping these messages for anybody else.

Step 1: Create a new incoming mail policy, and add all users or LDAP groups allowed to receive mail from linkedin.com. Activate antispam, antivirus, and any content filters you want to have in that policy as well.

Step 2: Create a new incoming content filter, with a condition mail-from == ^@linkedin.com$, and an action drop(), or quarantine(Policy). Add this content filter to all incoming mail policies exept(!) the one created in step 1.

Commit your changes.

Hope it's clear what happenshere, by using mail policies I ensure that mail splintering is used if a message comes in for multiple recipients, and only the ones getting dropped that are not allowed to receive mail from linkedin.com.

Hope that helps,

Andreas

View solution in original post

8 REPLIES 8
David Owens
Beginner

David,

How are you blocking the linkedin.com domain? Are you using the HAT, Content Filter, Message Filter, Policy?  Depending on how you are blocking the domain may give you options.  Thanks

David,

I am using HAT's BLACKLIST to block the domain: .linkedin.com

Unfortunately you are being asked to do a management/administrative never ending task...

The HAT will make it more difficult, I will leave that option to the Cisco experts to discuss.

Have you considered using a message filter?  This could be an option if the list accepted members is very limited or could be placed in a group context.  Chapter 5 in the Advanced Configuration guide would be a good reference for the actual syntax you would need in your environment.

Message Filter option would be something like:

Condition(s):

if (recv-listener == "InboundMail")

and

mail-from == ^@linkedin.com$

and

rcpt-to != ^user1@principal.com|user1@principal.com$ or an option like: rcpt-to-group == "Linkedin"

Action:

drop() or quarantine ("Policy") depending on your preferred action

Something similar could be accomplished using content filters added to inbound policies as the message filter, just depends how far down the pipeline you want the message to travel.

David,

Thanks for your suggestion! I will give it a try and get back to this as soon as I can!

Hello David (both),

the given message filter certainly works, but has a problem when a message has multiple recipients, depending on the filter the message either drops or gets delivered to all recipients, eligible or not. So a better solution would be something with a mail policy for users allowed to receive linkedin.com messages, and a content filter dropping these messages for anybody else.

Step 1: Create a new incoming mail policy, and add all users or LDAP groups allowed to receive mail from linkedin.com. Activate antispam, antivirus, and any content filters you want to have in that policy as well.

Step 2: Create a new incoming content filter, with a condition mail-from == ^@linkedin.com$, and an action drop(), or quarantine(Policy). Add this content filter to all incoming mail policies exept(!) the one created in step 1.

Commit your changes.

Hope it's clear what happenshere, by using mail policies I ensure that mail splintering is used if a message comes in for multiple recipients, and only the ones getting dropped that are not allowed to receive mail from linkedin.com.

Hope that helps,

Andreas

View solution in original post

Andreas,

Great catch, I overlooked the multiple recipient issue.  Your solution would resolve that issue and work for Mr. Kosek.  My only comment is that I hate admisinstering a policy for such a limited purpose, of course that same statement applies to message and content filters.

Andreas and David,

Great suggestions!

I tried to use the LDAP group but for some reason it wouldn't work. I tried both dist and security groups but it didn't matter. I ended up using a dictionary with the use names in it... i.e.: dkosek

I would rather use an LDAP group so that non-ironport admins can add or remove users as needed. Any suggestions would be appreciated.

Thanks!

David,

I also struggled with LDAP groups until I found out you need to use the LDAP fully distinguished name instead of the "simple name" used as examples in our Ironport documentation.

eg.  Instead of "authorized-LinkedIn-recipients" you need to use "CN=authorized-LinkedIn-recipients,OU=groups,DC=yourcompany,DC=com".  Of course your CN, OU and DC values are specific to your own LDAP / AD organization and schema.