cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
30
Helpful
14
Replies
Beginner

Cisco esa blocks whitelisted emails

Hi. some crucial emails being blocked by content filter. that is way I added it to whitelist on HAT overview by adding mail.company.com server name. But unfortunately some emails form company.com still being blocked. Any solution?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Cisco esa blocks whitelisted emails

That's true if the emails is detected by the anti-spam then it will dropped/quarantined before reaching the content filter.

In the solution provided by me previously, you can continue adding the sender domain's sending mail server's hostname or IP address to the WHITELIST sendergroup in HAT overview which will skip the anti-spam check which will solve the spam issue.

I hope the provided solution helps!

Cisco Employee

Re: Cisco esa blocks whitelisted emails

That's great. Just to update you again that adding the domain name to the HAT sendergroup won't work. We need to add the hostname or IP address of the sending mail server in the following format/syntax.

 

Screen Shot 2019-08-06 at 9.19.58 AM.pngSyntax to add sender details in sendergroup

 

 

Cisco Employee

Re: Cisco esa blocks whitelisted emails

Hi Ccns90,

Saying ccns90 is the hostname is like going towards a totally different track as I am referring here to the hostname of the "sending mail servers".

Let me explain to you a similar scenario as below.

Suppose we have an email coming from abc@facebook.com, then it doesn't necessarily mean that the hostname of the sending mail server is ending with "facebook.com".
For instance, in this case, the emails must be coming from the sending server with the hostname of "fbworkmail.com" as those are the sending mail origin servers. Also, we get the details of the IP address of those servers which can be used in the HAT group. Please refer the below link for the same:
https://developers.facebook.com/docs/workplace/additional-configuration/email/

Similarly, in your scenario, you need to check on the sending mail server details of the domain "company.com" for their hostnames or IP addresses which you can use in the sendergroup in HAT Overview as adding the domains which you see in the email addresses won't be of any effect.

I hope that explains!

Regards,
Pratham
14 REPLIES 14
Highlighted
Cisco Employee

Re: Cisco esa blocks whitelisted emails

Hi CCns,

Adding hostname of the sending server to the WHITELIST sendergroup will only skip the Anti-spam engine not help in skipping the Content filter engine in the email security pipeline.

For your requirement, I would recommend you to create another content filter (place it in the order above the content filter blocking the emails). In the newly created content filter use the condition as "Envelope Sender" with value contains (sending domain name) "company.com" and action as "Skip Remaining Content Filters (Final Action)".

 

Below articles will be helpful to you in creating the content filter as per the requirement:

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-content-filters.pdf

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01010.html

I hope this explains and helps!

Regards,
Pratham

Collaborator

Re: Cisco esa blocks whitelisted emails

HAT and the related "Mailflow Policies" are all about the connection: is that other system allowed to connect to us, how many connections at once, how many emails per connection and etc. It doesn't deal with content.


Once we have the mail we still need to build a "Incoming Mail Policy" to deal with the content.

Create a new mail policy with this sender in it and turn of whichever filters you need to.

Beginner

Re: Cisco esa blocks whitelisted emails

Thank you. you helped me again ) I really appreciate that.

 

I am going to create new Incoming Mail Policy called WhiteList above Default mail policy. then it would be more flexible to manage I guess. For instance if mail comes from company.com I can scan with antispam or antivirus. Or I can let that email to reach destination without scanning by antispam,content filter or antivirus. Is my thought correct?

 

Cisco Employee

Re: Cisco esa blocks whitelisted emails

Hi CCns90,

Yes, you are thinking correct. However, in the new incoming mail policy, I would recommend having anti-virus engine enabled as it will help protect your network from virus threats and as per your requirement, you can go ahead and disable the anti-spam and content filters engine.

However, to can keep the hostname in the Whitelist sendergroup as it will be matching against the TRUSTED (by default) mail flow policy which will provide more leniency to the sender domain (if it is trusted by your end) against various security measures including having more simultaneous connections to your ESA appliance.

Regards,
Pratham

Beginner

Re: Cisco esa blocks whitelisted emails

So let me summarize this issue. I will create new incoming mail policy and enable antivirus but disable the rest. More over I will remove company.com from hat->whitelist. When I need to add some trusted domain to whitelist it would be new created Incoming Mail Policy.

 

One more guestions I want to ask. what if someone spoofed company.com domain and send to our users? What would hat->whitelist or My new created Incoming mail policy do for it.

Cisco Employee

Re: Cisco esa blocks whitelisted emails

Hi Ccns90,

If you create a new policy for your requirement in which you disable content filters then there are chances that spoof emails from the sending domains can pass through as we will have no check created for spoofing.

I believe the best approach for your requirement will be the same as suggested by me previously to simply create a new content filter (say named X) (to skip below filters) above the other content filter (say named Y) which is blocking your emails.
For checking on the spoof emails from the sending domain, you can make use of another content filter (A) (placed on top of the new filter created named X) which can take action based on the SPF/DKIM/DMARC verdicts used for checking on the spoofed emails.
Hence, your content filters need to be in the below order (considering there are only these 3 filters in ESA):

1) A
2) X
3) Y

I hope the above is able to provide you more understanding.

Regards,
Pratham
Beginner

Re: Cisco esa blocks whitelisted emails

That is great explanation. But what if company.com seen by esa as spam(false positive)? It will be droped before reaching to content filter. 

Cisco Employee

Re: Cisco esa blocks whitelisted emails

That's true if the emails is detected by the anti-spam then it will dropped/quarantined before reaching the content filter.

In the solution provided by me previously, you can continue adding the sender domain's sending mail server's hostname or IP address to the WHITELIST sendergroup in HAT overview which will skip the anti-spam check which will solve the spam issue.

I hope the provided solution helps!

Beginner

Re: Cisco esa blocks whitelisted emails

So i will add domains to hat-whitelist that i want not to be blocked and will create content filter appropriate to it. It is clear. Thank you so much. 

Cisco Employee

Re: Cisco esa blocks whitelisted emails

That's great. Just to update you again that adding the domain name to the HAT sendergroup won't work. We need to add the hostname or IP address of the sending mail server in the following format/syntax.

 

Screen Shot 2019-08-06 at 9.19.58 AM.pngSyntax to add sender details in sendergroup

 

 

Beginner

Re: Cisco esa blocks whitelisted emails

One last question I want to make sure. Suppose email comes from mail.company.com and sender is ccns90@company.com. according to your post (screenshot) hostname here is company.com? Don't you think host name must be ccns90? maybe I am wrong. I would be pleased if you explain this 

Cisco Employee

Re: Cisco esa blocks whitelisted emails

Hi Ccns90,

Saying ccns90 is the hostname is like going towards a totally different track as I am referring here to the hostname of the "sending mail servers".

Let me explain to you a similar scenario as below.

Suppose we have an email coming from abc@facebook.com, then it doesn't necessarily mean that the hostname of the sending mail server is ending with "facebook.com".
For instance, in this case, the emails must be coming from the sending server with the hostname of "fbworkmail.com" as those are the sending mail origin servers. Also, we get the details of the IP address of those servers which can be used in the HAT group. Please refer the below link for the same:
https://developers.facebook.com/docs/workplace/additional-configuration/email/

Similarly, in your scenario, you need to check on the sending mail server details of the domain "company.com" for their hostnames or IP addresses which you can use in the sendergroup in HAT Overview as adding the domains which you see in the email addresses won't be of any effect.

I hope that explains!

Regards,
Pratham
Beginner

Re: Cisco esa blocks whitelisted emails

That is great explanation, it is totally clear. Thanks you so much for spending your valuable time to assist me.

Cisco Employee

Re: Cisco esa blocks whitelisted emails

My pleasure! Glad to know that I was able to help.