cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

2523
Views
15
Helpful
7
Replies
WhereIsMyCIDR
Beginner

Bypass Cisco email encryption and DLP for specific domains

Hi. We've implemented DLP & Cisco Email encryption for any content that our business requires encrypted, however we've recently implemented Required TLS betwee one of our business partners and would like to bypass DLP & Email encryption to ONLY those specific domains.

 

Is this possible to do on the ESA/IronPort and how can we go about implementing this if it is?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

View solution in original post

7 REPLIES 7
Ken Stieers
Advocate

When you say email encryption, do you mean PXE/CRES? Are you using a content filter to pick which messages to encrypt?

Assuming the answer's are yes, go to Ougoing Mail policies and create a new policy. Use the recipient domain as the recipient filter, and then you can turn off DLP and the content filter.

dmccabej
Cisco Employee

Hello,

 

There are multiple ways to do this, but the easiest would probably be by just adding the recipient domain(s) to the exclusion list within the DLP policy. You'll want to make sure you select 'Is Not' from the drop-down menu so that the policy only applies if the recipient is not within that list. This should bypass any DLP policies you wish to exclude for these specific recipients.

 

dlp-filter.jpg

 

Another being what Ken has mentioned above by just creating a new mail policy for these recipients, and just not selecting the particular content filters or DLP policies.  

 

Thanks!

-Dennis M.

 

Thanks Dennis & Ken .  That was very helpful.  

Our users are also using keywords to send out encrypted emails. Is there a way to bypass that encryption regardless if the users inputs the keyword to those specific domains?

 

Also in the event that TLS fails is there a away to prevent the message from being sent to remote party and send an alert to the administrator ?

I think that's default behavior for "TLS required"

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

View solution in original post

Thank you Ken & Dennis for your help.

 

Hey guys. Is there a way to alert and end user if the message they sent failed due to TLS not working? 

We need to let our users know in situations where they send urgent emails but are not aware of TLS not working. 

Create
Recognize Your Peers
Content for Community-Ad