Hi Libin,

sengjiunn · ‎09-20-2016

Hi,

I am still new to Cisco ESA. Much appreciate if anyone could assist to answer the following. The ESA was deployed behind firewall and before microsoft exchange server. ESA only handle incoming mail but not outgoing mail. The incoming and outgoing mail flow as below:

Incoming

Internet --> Firewall --> ESA --> Exchange --> Users

Outgoing

Users --> Exchange --> Firewall --> Internet

Questions:

1) How can ESA scan and filter internally sent mail within same domain?

2) How can ESA detect and prevent spoof mail sent within internal user within same domain?

3) How can ESA configured to detect and prevent internal user that is infected by trojan to blast spam mail to other internal users?

Great thanks in advance!

Regards,

Steven

Libin Varghese · ‎09-20-2016

Hi Steven,

1.
Emails delivered internally are usually processed by the exchange server directly, however in order to scan internal emails as well we would need to allow email flow through the ESA.

Users -> Exchange -> ESA -> Exchange -> Users

To allow mail flow from the exchange the exchange server would need to inject emails intended for internal domains to the inbound listener of the ESA, while continuing to send other outbound emails to the firewall.

This would need to be tested on your end as there could be unforeseen issues such as for emails with multiple recipients (both internal and external).

2.
ESA can use filters to prevent spoofed emails being generated from the internet, I'm not sure what you mean by spoofed emails from users within same domain. If there are dedicated servers for each domain SPF could be used.

I will attach the forged email detection steps with this post for your reference.

3.
Emails passed through the ESA are subject to rate limiting configured on the mail flow policies.

You could also configure a filter with condition "header-repeats"

Header Repeats Rule
The Header Repeats rule evaluates to true if at a given point in time, a specified number of messages:
* With same subject are detected in the last one hour.
* From same envelope sender are detected in the last one hour.

You can use this rule to detect high volume emails. For example, political campaigns through certain websites may send out emails to organizations in high volumes. Anti-spam engines treat such emails as clean, and do not stop the delivery of these emails.

The syntax of this rule is header-repeats (<target>, <threshold> [, <direction>]), where:
* <target> is subject or mail-from. AsyncOS counts the repetition of values of the target.
* <threshold> is the number of messages with identical values for a given target, received in the last one hour, beyond which the rule evaluates to true.
* <direction> is incoming, outgoing, or both. If direction is not specified in this rule, incoming or outgoing messages are counted for rule evaluation.

Every time when a Header Repeats rule evaluates to true, a System Alert is sent.

Note: If the header field includes comma or semi-colon separated values, the rule considers the complete string for tracking. This rule ignores messages with empty subject header.

The Header Repeats rule maintains a moving sum of messages with up to one minute's precision. As a result, after the set threshold has reached, there can be a delay of one minute before this rule is triggered.

A sample message filter would be as below

header_repeats: if (remote-ip == "IP of exchange server") AND (header-repeats('mail-from', 100)) {
notify ("admin@domain.com");
}

The filter can be modified as per your requirement, the limit 100 would vary depending on what would be considered normal mail flow in your environment.

To get familiarized with working of the ESA I would recommend reviewing the Async OS end user guide.

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf

Thanks
Libin

sengjiunn · ‎09-20-2016

Hi Libin,

Thanks for your reply. Much appreciate if you could guide me on item number 1?

Thanks & Regards,

Steven

Libin Varghese · ‎09-20-2016

Steven,

Currently emails from internal domains to other internal domains would be not passing through the ESA hence no scanning occurs.

Ideally exchange server IP's are added the to HAT Sendergroup Relaylist to allow outbound mail flow, since you are looking to continue email delivery outbound through the firewall and only have internal domains pass through the ESA you would need to check on the exchange server if emails destined for external domains and internal domains can be handled differently as below.

Users -> Exchange -> Firewall -> Internet (for external domains)

Users -> Exchange -> ESA -> Exchange -> Users (for internal domains)

For internal domains the exchange server would need to inject emails to the ESA on the listener IP configured under Network -> Listeners.

As the exchange IP is not part of the Relay sender group it would treat the email as inbound and scanning would occur as per the incoming mail policy and deliver the email to the exchange using the SMTP routes.

You can refer to the below article for exchange side configuration, however Microsoft support would be better suited to explain how that is configured.

https://technet.microsoft.com/en-IN/library/jj839710%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396

Again this is a setup not normally used, hence would need to be tested.

Thanks
Libin

sengjiunn · ‎09-20-2016

Hi Libin,

Thanks for your informative answer. I will give it a try.

Regards,

Steven

siddertha · ‎05-26-2017

Hi Steven

Did you successfully configure filter internally send email within same domain?

Please share Cisco ESA configuration as well as exchange side configuration.

Regards,

Sid

siddertha@yahoo.com

Can Cisco ESA scan and filter internally sent email within same domain?