cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
5
Helpful
2
Replies

Async OS 14.0 New mail flow policy "default On" Settings vs Async OS 13.0

rolelael
Level 1
Level 1

Hello, we upgraded our acceptance environment and I found out that there are some new security features in the Mail Flow Policies, which are enabled by default.  In AsyncOS 13 they were not in the Mail Flow Policies

 

These are :

 

  1. SDR Verification
  2. Virus Outbreak Filters
  3. Advanced Phishing Protection  
  4. Graymail Detection
  5. Content Filters
  6. Message Filters

What effect does this  have ? Because we have "incoming mail policies" where we have

- Outbreakfilters enabled, content filters enabled, graymail is disabled, the new adv.phishing protection is also new there, but disabled ( since not activated/configured on our appliance )

 

But what does actually the "on" setting for example SDR do ? Will it block mails based on what ? Or will it just log it in de mail logs ?

 

What if we set for example content filters in the "Mail flow policy" = Off , will the configured content filters be used when defined in the incoming mail policy? Or will they be ignored?

 

This is not clear for me now

 

Thanks

2 Replies 2

svgeorgi
Cisco Employee
Cisco Employee

It's a matter of pipeline here. HAT is placed before the incoming/outgoing mail policies in the email pipeline, so if you turn off some of the features listed in the mail flow policies, the mail policies afterwards will not consider the scanning results of these engines. Not sure how that works exactly with the filters, but the logic should be same or very similar.

That something is turned on in a mail FLOW policy means that the those checks/options will be run against the email that hits that policy.

For SDR, SPF, DKIM, DMARC the ESA adds the info to the mail headers, so you can later act on them, based on what’s in your Incoming Policy. For the others the mail is flagged so that those engines are told to run for this mail in the work queue.


If you had an IP range where you didn’t want specific engines to run against the mail they deliver, this is where you would do it.

(which mail flow policy you hit is based on what IP it came from)

 

Incoming policies are where the “reaction” to those engines happen, and which one you hit is based on email addresses: senders and/or recipients.

 

SDR is based on the sender email address.  With so many cloud mail accounts, just because it came from something Microsoft or Google owns, you can’t depend on the IP to say that it’s a bad sender… so now look at who its actually from, and how old is that domain, etc.  You set a content filter to decide what to do with that mail.

 

If you turn off content filters, in a mail policy, my understanding is that the content filters for the mail from the IPs that mail flow policy applies to won’t be run… 

 

In the end, I would leave those all ON (set the default to on, then set all policies to use default) as I'm making the decision on what to turn on/off based on the sender or recipient address, NOT by IP... 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: