Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5613
Views
30
Helpful
14
Replies

Cisco esa blocks whitelisted emails

Go to solution
ccna_security
Level 3
Level 3

‎08-05-2019 04:27 AM

Hi. some crucial emails being blocked by content filter. that is way I added it to whitelist on HAT overview by adding mail.company.com server name. But unfortunately some emails form company.com still being blocked. Any solution?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 09:23 AM

That's true if the emails is detected by the anti-spam then it will dropped/quarantined before reaching the content filter.

In the solution provided by me previously, you can continue adding the sender domain's sending mail server's hostname or IP address to the WHITELIST sendergroup in HAT overview which will skip the anti-spam check which will solve the spam issue.

I hope the provided solution helps!

View solution in original post

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 08:54 PM

That's great. Just to update you again that adding the domain name to the HAT sendergroup won't work. We need to add the hostname or IP address of the sending mail server in the following format/syntax.

 

Syntax to add sender details in sendergroupSyntax to add sender details in sendergroup

 

 

View solution in original post

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-06-2019 12:27 AM

Hi Ccns90,

Saying ccns90 is the hostname is like going towards a totally different track as I am referring here to the hostname of the "sending mail servers".

Let me explain to you a similar scenario as below.

Suppose we have an email coming from abc@facebook.com, then it doesn't necessarily mean that the hostname of the sending mail server is ending with "facebook.com".
For instance, in this case, the emails must be coming from the sending server with the hostname of "fbworkmail.com" as those are the sending mail origin servers. Also, we get the details of the IP address of those servers which can be used in the HAT group. Please refer the below link for the same:
https://developers.facebook.com/docs/workplace/additional-configuration/email/

Similarly, in your scenario, you need to check on the sending mail server details of the domain "company.com" for their hostnames or IP addresses which you can use in the sendergroup in HAT Overview as adding the domains which you see in the email addresses won't be of any effect.

I hope that explains!

Regards,
Pratham

View solution in original post

14 Replies 14

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎08-05-2019 05:15 AM - edited ‎08-05-2019 05:39 AM

Hi CCns,

Adding hostname of the sending server to the WHITELIST sendergroup will only skip the Anti-spam engine not help in skipping the Content filter engine in the email security pipeline.

For your requirement, I would recommend you to create another content filter (place it in the order above the content filter blocking the emails). In the newly created content filter use the condition as "Envelope Sender" with value contains (sending domain name) "company.com" and action as "Skip Remaining Content Filters (Final Action)".

 

Below articles will be helpful to you in creating the content filter as per the requirement:

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-content-filters.pdf

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01010.html

I hope this explains and helps!

Regards,
Pratham

Go to solution
Ken Stieers
VIP
VIP

‎08-05-2019 05:15 AM

HAT and the related "Mailflow Policies" are all about the connection: is that other system allowed to connect to us, how many connections at once, how many emails per connection and etc. It doesn't deal with content.


Once we have the mail we still need to build a "Incoming Mail Policy" to deal with the content.

Create a new mail policy with this sender in it and turn of whichever filters you need to.

Go to solution
ccna_security
Level 3
Level 3
In response to Ken Stieers

‎08-05-2019 05:37 AM

Thank you. you helped me again ) I really appreciate that.

 

I am going to create new Incoming Mail Policy called WhiteList above Default mail policy. then it would be more flexible to manage I guess. For instance if mail comes from company.com I can scan with antispam or antivirus. Or I can let that email to reach destination without scanning by antispam,content filter or antivirus. Is my thought correct?

 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 05:48 AM - edited ‎08-05-2019 05:48 AM

Hi CCns90,

Yes, you are thinking correct. However, in the new incoming mail policy, I would recommend having anti-virus engine enabled as it will help protect your network from virus threats and as per your requirement, you can go ahead and disable the anti-spam and content filters engine.

However, to can keep the hostname in the Whitelist sendergroup as it will be matching against the TRUSTED (by default) mail flow policy which will provide more leniency to the sender domain (if it is trusted by your end) against various security measures including having more simultaneous connections to your ESA appliance.

Regards,
Pratham

Go to solution
ccna_security
Level 3
Level 3
In response to ppreenja

‎08-05-2019 06:00 AM

So let me summarize this issue. I will create new incoming mail policy and enable antivirus but disable the rest. More over I will remove company.com from hat->whitelist. When I need to add some trusted domain to whitelist it would be new created Incoming Mail Policy.

 

One more guestions I want to ask. what if someone spoofed company.com domain and send to our users? What would hat->whitelist or My new created Incoming mail policy do for it.

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 08:10 AM

Hi Ccns90,

If you create a new policy for your requirement in which you disable content filters then there are chances that spoof emails from the sending domains can pass through as we will have no check created for spoofing.

I believe the best approach for your requirement will be the same as suggested by me previously to simply create a new content filter (say named X) (to skip below filters) above the other content filter (say named Y) which is blocking your emails.
For checking on the spoof emails from the sending domain, you can make use of another content filter (A) (placed on top of the new filter created named X) which can take action based on the SPF/DKIM/DMARC verdicts used for checking on the spoofed emails.
Hence, your content filters need to be in the below order (considering there are only these 3 filters in ESA):

1) A
2) X
3) Y

I hope the above is able to provide you more understanding.

Regards,
Pratham

Go to solution
ccna_security
Level 3
Level 3
In response to ppreenja

‎08-05-2019 08:58 AM

That is great explanation. But what if company.com seen by esa as spam(false positive)? It will be droped before reaching to content filter. 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 09:23 AM

That's true if the emails is detected by the anti-spam then it will dropped/quarantined before reaching the content filter.

In the solution provided by me previously, you can continue adding the sender domain's sending mail server's hostname or IP address to the WHITELIST sendergroup in HAT overview which will skip the anti-spam check which will solve the spam issue.

I hope the provided solution helps!

0 Helpful

Go to solution
ccna_security
Level 3
Level 3
In response to ppreenja

‎08-05-2019 10:56 AM

So i will add domains to hat-whitelist that i want not to be blocked and will create content filter appropriate to it. It is clear. Thank you so much. 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-05-2019 08:54 PM

That's great. Just to update you again that adding the domain name to the HAT sendergroup won't work. We need to add the hostname or IP address of the sending mail server in the following format/syntax.

 

Syntax to add sender details in sendergroupSyntax to add sender details in sendergroup

 

 

Go to solution
ccna_security
Level 3
Level 3
In response to ppreenja

‎08-05-2019 09:30 PM

One last question I want to make sure. Suppose email comes from mail.company.com and sender is ccns90@company.com. according to your post (screenshot) hostname here is company.com? Don't you think host name must be ccns90? maybe I am wrong. I would be pleased if you explain this 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-06-2019 12:27 AM

Hi Ccns90,

Saying ccns90 is the hostname is like going towards a totally different track as I am referring here to the hostname of the "sending mail servers".

Let me explain to you a similar scenario as below.

Suppose we have an email coming from abc@facebook.com, then it doesn't necessarily mean that the hostname of the sending mail server is ending with "facebook.com".
For instance, in this case, the emails must be coming from the sending server with the hostname of "fbworkmail.com" as those are the sending mail origin servers. Also, we get the details of the IP address of those servers which can be used in the HAT group. Please refer the below link for the same:
https://developers.facebook.com/docs/workplace/additional-configuration/email/

Similarly, in your scenario, you need to check on the sending mail server details of the domain "company.com" for their hostnames or IP addresses which you can use in the sendergroup in HAT Overview as adding the domains which you see in the email addresses won't be of any effect.

I hope that explains!

Regards,
Pratham

Go to solution
ccna_security
Level 3
Level 3
In response to ppreenja

‎08-06-2019 12:41 AM

That is great explanation, it is totally clear. Thanks you so much for spending your valuable time to assist me.

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-06-2019 01:53 AM

My pleasure! Glad to know that I was able to help.
0 Helpful
Customers Also Viewed These Support Documents