Showing results for 
Search instead for 
Did you mean: 

C370 control between internal email domains

Hi All,

I have a customer where they have a few internal mail servers and the mail server’s email gateway are pointed to the C370 ironport.

They have a special requirement where they would like to block certain users from one mail server to be communicating with a set of people in another mail server.

They also have requirements like certain users can only send email to other certain users in another internal email domain.


What I did is create mail policies for each requirement. For a) what I did is “allow from to”; then “deny to any email domain”. As for b), what I did was “deny from to”; then “allow from to any email domains”.

My question is:

  • 1. Do I apply these policies on the incoming mail policies or outgoing? Taking into consideration I have a 2-data port topology where data-1 is configured to face the internet (public) and data-2 is facing the LAN (private)
  • 2. Will my mail policy work?

Many thanks.

Andreas Mueller

Hi there,

the decision if a connection is inbound or outbound is made based on the type of listener or mail flow policy. Basically, if a message comes trough a private listener, or a sendergroup with a RELAY mail flow policy, that connection is considered outbound, in all other cases it will be inbound.

About your policies, not sure if they will work as I am unsure how you configured:

“deny from to ”, could you be more specific on that? Also, why not set those rules up directly on the mail servers instead on the email security appliance? Would make configuration less complex.



Hi Andreas,

Because I want to block to send email to only, I will have to define specific policies that drops to, then allow to every other email. Something like firewall rules performing specific deny and allow any any at the last line.

I performed some internal testings and I realize that in order to specifically block from to, I have to define sender = in the outgoing mail policy and in the outgoing mail filter under filter = envelope recipient; action = drop (or vice versa). Otherwise, if I place sender = and recipient = in the mail policy, any email from OR to will hit the policy.

I feel that this is kind of brainless to do such thing and will add operational complexity. Unfortunately, my customer has a very strict security environment. I did say the same thing to him. "Why don't control on the server end?". He replied "what if my servers get compromised?"

Hope you can understand my explanation Thanks.

Content for Community-Ad