Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1355
Views
0
Helpful
2
Replies

C370 control between internal email domains

yoongseong
Level 1
Level 1

‎09-27-2012 12:07 AM

Hi All,

I have a customer where they have a few internal mail servers and the mail server’s email gateway are pointed to the C370 ironport.

They have a special requirement where they would like to block certain users from one mail server to be communicating with a set of people in another mail server.

They also have requirements like certain users can only send email to other certain users in another internal email domain.

Example:

What I did is create mail policies for each requirement. For a) what I did is “allow from a@123.com to a@456.com”; then “deny a@123.com to any email domain”. As for b), what I did was “deny from b@123.com to b@789.com”; then “allow from b@123.com to any email domains”.

My question is:

  • 1. Do I apply these policies on the incoming mail policies or outgoing? Taking into consideration I have a 2-data port topology where data-1 is configured to face the internet (public) and data-2 is facing the LAN (private)
  • 2. Will my mail policy work?

Many thanks.

Labels:
0 Helpful
2 Replies 2

Andreas Mueller
Level 4
Level 4

‎10-02-2012 03:55 AM

Hi there,

the decision if a connection is inbound or outbound is made based on the type of listener or mail flow policy. Basically, if a message comes trough a private listener, or a sendergroup with a RELAY mail flow policy, that connection is considered outbound, in all other cases it will be inbound.

About your policies, not sure if they will work as I am unsure how you configured:

“deny from b@123.com to b@789.com ”, could you be more specific on that? Also, why not set those rules up directly on the mail servers instead on the email security appliance? Would make configuration less complex.

Regards,

Andreas

0 Helpful

Dennis Goh
Level 1
Level 1
In response to Andreas Mueller

‎10-02-2012 07:16 AM

Hi Andreas,

Because I want to block b@123.com to send email to b@789.com only, I will have to define specific policies that drops b@123.com to b@789.com, then allow b@123.com to every other email. Something like firewall rules performing specific deny and allow any any at the last line.

I performed some internal testings and I realize that in order to specifically block from b@123.com to b@789.com, I have to define sender = b@123.com in the outgoing mail policy and b@789.com in the outgoing mail filter under filter = envelope recipient; action = drop (or vice versa). Otherwise, if I place sender = b@123.com and recipient = b@789.com in the mail policy, any email from b@123.com OR to b@789.com will hit the policy.

I feel that this is kind of brainless to do such thing and will add operational complexity. Unfortunately, my customer has a very strict security environment. I did say the same thing to him. "Why don't control on the server end?". He replied "what if my servers get compromised?"

Hope you can understand my explanation Thanks.

0 Helpful
Customers Also Viewed These Support Documents