Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3606
Views
15
Helpful
7
Replies

Bypass Cisco email encryption and DLP for specific domains

Go to solution
WhereIsMyCIDR
Level 1
Level 1

‎05-21-2018 11:27 AM - edited ‎03-08-2019 07:37 PM

Hi. We've implemented DLP & Cisco Email encryption for any content that our business requires encrypted, however we've recently implemented Required TLS betwee one of our business partners and would like to bypass DLP & Email encryption to ONLY those specific domains.

 

Is this possible to do on the ESA/IronPort and how can we go about implementing this if it is?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to WhereIsMyCIDR

‎05-21-2018 12:05 PM

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Ken Stieers
VIP
VIP

‎05-21-2018 11:42 AM

When you say email encryption, do you mean PXE/CRES? Are you using a content filter to pick which messages to encrypt?

Assuming the answer's are yes, go to Ougoing Mail policies and create a new policy. Use the recipient domain as the recipient filter, and then you can turn off DLP and the content filter.

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎05-21-2018 11:43 AM - edited ‎05-21-2018 11:45 AM

Hello,

 

There are multiple ways to do this, but the easiest would probably be by just adding the recipient domain(s) to the exclusion list within the DLP policy. You'll want to make sure you select 'Is Not' from the drop-down menu so that the policy only applies if the recipient is not within that list. This should bypass any DLP policies you wish to exclude for these specific recipients.

 

dlp-filter.jpg

 

Another being what Ken has mentioned above by just creating a new mail policy for these recipients, and just not selecting the particular content filters or DLP policies.  

 

Thanks!

-Dennis M.

 

Go to solution
WhereIsMyCIDR
Level 1
Level 1
In response to dmccabej

‎05-21-2018 11:55 AM - edited ‎05-21-2018 12:02 PM

Thanks Dennis & Ken .  That was very helpful.  

Our users are also using keywords to send out encrypted emails. Is there a way to bypass that encryption regardless if the users inputs the keyword to those specific domains?

 

Also in the event that TLS fails is there a away to prevent the message from being sent to remote party and send an alert to the administrator ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to WhereIsMyCIDR

‎05-21-2018 12:03 PM

I think that's default behavior for "TLS required"

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to WhereIsMyCIDR

‎05-21-2018 12:05 PM

If you're getting into content filters now as well, then what Ken mentioned would definitely be the way to go. You should setup a new mail policy specific to those receiving domains, and then just disable any filters/DLP policies for that mail policy only so they would not be applied. Also, for any TLS required connections, if TLS fails then there would be a rejection and an NDR should be returned to the sender.

 

Thanks!

-Dennis M.

0 Helpful

Go to solution
WhereIsMyCIDR
Level 1
Level 1
In response to dmccabej

‎05-21-2018 12:47 PM

Thank you Ken & Dennis for your help.

 

0 Helpful

Go to solution
WhereIsMyCIDR
Level 1
Level 1
In response to dmccabej

‎05-23-2018 01:28 PM

Hey guys. Is there a way to alert and end user if the message they sent failed due to TLS not working? 

We need to let our users know in situations where they send urgent emails but are not aware of TLS not working. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents