cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4398
Views
0
Helpful
7
Replies

Cisco Email Security Applicance Blacklist outbound configuration

jrct7
Level 1
Level 1

Hello to everyone,

 

I have installed a Virtual ESA and I want to configure an outgoing blacklist. The purpose is for you to add emails to that blacklist so that the Cisco ESA does not send messages to those addresses.

 

I have searched information but I don't quite understand how to do that.

 

Can anyone help me with this?

7 Replies 7

marc.luescherFRE
Spotlight
Spotlight

There are many ways on how to do this.

 

An example:

 

a) you create a new dictionary called Blocked Outbound Domains and add 2-3 test domains into it with @sign. Diselect all Advanced Matching options, Commit changes

b) you create a new Outgoing Content Filter, " GUIBlock_Outgoing_Domains"

 

    condition envelope recipient = contains term in content dictionary "Blocked Outbound Domains"

    define action of choice Quarantine or Drop (Final Action)

c) apply this new GUIBlock_Outgoing_Domain content filter to your Outgoing Mail Policy under Content Filters, Commit changes

 

Test with your 2-3 domain till satisfied with the results.

 

-Marc

 

 

Hello Marc, thanks for replying.

 

Yesterday I did the config that you mencioned but the ESA still sends emails to the blocked domains:

 

Here the thing, I am using a SMTP Diag Tool and when I send the test mail it shows me that the massage was send successfully.

 

Moreover, I checked in my CIsco SMA --> Email --> Message Tracking and it shows that all messages, no matter the policy that applies, are "queued for delivery"

 

I'm going to attach the pictures of the configuration that I made in order to show you and you tell me if I made any mistake

 

I'll be expecting your answer.

Let me try but there must be something else we are missing. I suspect we dont have a working outbound route.

 

Can you go to System Administration / Shutdown/Suspend and tell me how many messages you have in the work queue and what the workqueue status is (operational?).

 

-Marc

 

Hello Marc,

 

I can't see none. i show you the print

 

-Jesús

jrct7
Level 1
Level 1

Hello to everyone,

 

Can somebody help me with this case? I have read any kind of articles but the ESA is still sending messages to senders into the blacklist

jrct7,

First thing you want to do is create a content filter and title it Drop_Outgoing, under Description put something like DANGER! This policy drops all out going email for the listed sender. Under actions click Drop (Final Acton)-> click ok-> Submit-> Commit Changes-> ->Commit Changes again. You can also create a filter for Outbound Malicious URLs, or Outbound Dictionary words, etc... but I quarantine those so I can keep track of them.

Second, Create an Outgoing Mail Policy titled Sinkhole-> move it first in your order-> add one sender, make one up if you have to, but this part is important, you need click on Any Sender on the left, then click Following Recipients on the right. In other words if anyone sending to these senders, drop the email->Submit-> Commit-> Commit.

Last, go back to the beginning of your Outgoing Mail Policies and move to your Sinkhole Policy->click (use default)-> under the dropdown window select Enable Content Filters (Customize Settings)-> and then toggle Enable beside your Drop_Outgoing->Submit-> Commit-> Commit.

That should work, if not, we may have another issue going on.

Remember Outgoing Mailflow Policy is where you add email addresses and domains that you want to block sending from (your own) and sending to (anyone) and the HAT (select Outgoing Mail  under Sender Groups) is where you place IP and Geo Locations)

 

Hope that helps.

-Don

Hi Don.

 

I I had already done that setup before but it didn't work

That's why I was asking around here, surely something is missing

 

I'd appreciate any help.

 

-Jesús