Re: Bypass SMTP route when Release from Policy Quarantine

REJR77 · ‎08-04-2023

Hi,

In our Mail Flow, emails are first inspected by ESA, then sent to a Sandboxing appliance and finally to the Mail server.

With AV scanning, encrypted messages are sent to a local Quarantine on ESA.

The Security Team, is notified, and would like to analyze the email before releasing the mail to end user

Since the Sandboxing appliance is unable to process the protected files we would like to bypass the SMTP route to the Sandboxong appliance when we release the mail from Policy Qurantine.

In the AV scan, I have added a SMTP Header for email seen as encrypted, and I created a content filter to match this header (and an actoin to route through another mail server) But when releasing looks like it does not catch this header

Is it possible to reoute through another alt mail host when releasing from local quarantine?

Thank you

MatthewWilliams4257 · ‎08-21-2023

What I typically do for quarantine release mails is i specify a sender group for "Internal Hosts" which has the quarantine server IP. Then all you need to do is create a content filter OR message filter that acts on the Internal Hosts sender group which says "Send to Alternate Destination Host" and provide the Exchange IP directly.

The result is every mail released from quarantine by an IP in the internal host overrides the SMTP routing table.

But this is in an environment where I have an SMA acting as my centralized quarantine. What you could possibly do is use the remote-ip/recv-listener and target the cpq.queue/euq.queue instead which should give you the same result.