cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
15
Helpful
7
Replies
Highlighted
Beginner

Bypass Cisco email encryption and DLP for specific domains

Hi. We've implemented DLP & Cisco Email encryption for any content that our business requires encrypted, however we've recently implemented Required TLS betwee one of our business partners and would like to bypass DLP & Email encryption to ONLY those specific domains.

 

Is this possible to do on the ESA/IronPort and how can we go about implementing this if it is?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Bypass Cisco email encryption and DLP for specific domains

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

7 REPLIES 7
Collaborator

Re: Bypass Cisco email encryption and DLP for specific domains

When you say email encryption, do you mean PXE/CRES? Are you using a content filter to pick which messages to encrypt?

Assuming the answer's are yes, go to Ougoing Mail policies and create a new policy. Use the recipient domain as the recipient filter, and then you can turn off DLP and the content filter.

Cisco Employee

Re: Bypass Cisco email encryption and DLP for specific domains

Hello,

 

There are multiple ways to do this, but the easiest would probably be by just adding the recipient domain(s) to the exclusion list within the DLP policy. You'll want to make sure you select 'Is Not' from the drop-down menu so that the policy only applies if the recipient is not within that list. This should bypass any DLP policies you wish to exclude for these specific recipients.

 

dlp-filter.jpg

 

Another being what Ken has mentioned above by just creating a new mail policy for these recipients, and just not selecting the particular content filters or DLP policies.  

 

Thanks!

-Dennis M.

 

Beginner

Re: Bypass Cisco email encryption and DLP for specific domains

Thanks Dennis & Ken .  That was very helpful.  

Our users are also using keywords to send out encrypted emails. Is there a way to bypass that encryption regardless if the users inputs the keyword to those specific domains?

 

Also in the event that TLS fails is there a away to prevent the message from being sent to remote party and send an alert to the administrator ?

Collaborator

Re: Bypass Cisco email encryption and DLP for specific domains

I think that's default behavior for "TLS required"
Cisco Employee

Re: Bypass Cisco email encryption and DLP for specific domains

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

Beginner

Re: Bypass Cisco email encryption and DLP for specific domains

Thank you Ken & Dennis for your help.

 

Beginner

Re: Bypass Cisco email encryption and DLP for specific domains

Hey guys. Is there a way to alert and end user if the message they sent failed due to TLS not working? 

We need to let our users know in situations where they send urgent emails but are not aware of TLS not working.