05-25-2013 09:40 PM
Could I code any complex regex conditions in a content filter beyond what the rules editor allows me to do?
For example, since now i know how to use a dictionary to lookup authorized senders for encrypting with CRES (thanks to an earlier responder), I need a condition such as this:
IF (msg flagged AND sender-from dictionary)
ENCRYPT
ELSE IF (msg flagged AND sender-not-in-dictionary)
BOUNCE with error to sender
ELSE
SEND UNENCRYPTED
Any suggestion?
Thanks.
Sent from Cisco Technical Support iPhone App
05-26-2013 07:03 AM
Hello John,
"Could I code any complex regex conditions in a content filter beyond what the rules editor allows me to do?"
No you can't, GUI or CLI the content fitlers do not allow for complex regex. However, the CLI's message filters allow for 'else' and 'if not' statememts. Unlike content filters, message filters are not directional (inbound vs. outbound emails), so you have to define a direction for them. If you do not, the appliance will start to look at traffic coming from the internet and leaving for the internet. This will increase load on the unit, as it has to look at all traffic.
The best way to accomplish this task would be via an LDAP membership profile, and a special outbound mail policy, and your defuault catch all outbound mail policy. A user can only match one mail policy, even if they exist in more than one.
Steps I would take to accomplish this task:
Most likely you already have an LDAP system, this repository has all your users, and they are most likely already in buckets/groups.
IT Admins
Accounts
Business
Guests
etc...
EncryptEmail -- new group
1. you will need an LDAP profile on your appliance (system administration-- LDAP ) ## will control group membership queries, mail from, authentication .. among many other
2. create a group in your LDAP system called -- "EncryptEmail" ## -- name is yours to define, add all your users allowed to encrypt to the group.
2A-- create an LDAP group profile 'ldap_server'
2B --Create an LDAP group query 'ldap_server.group'
3. create an outbound Encrypt filter that looks for the encrypt flag set to \[SEND SECURE\] ##-- single escapes-- content filter will handle the second escape, or what ever flag you are actually looking for.
4. create an outgoing mail policy that will be for your 'ldap_server_profile.group-query.EncryptEmail' ###as people get added or removed, your LDAP system membership will be altered' you don't have to touch the mail policy again
(mail policies-- outgoing mail policies ADD LDAP Group Query -- select your group query, and add the name of your group, example is using "EncryptEmail"), when you click add it will look something like this
ldap_server.group-query.EncryptEmail
5. now activate your -outbound Encrypt filter- only on the your outbound mail policy that has the LDAP group on it.
NOTE:
Encryption will only be done for the people that match on your LDAP outbound mail policy, and have their subject flag on. Other traffic from these users will also match, but will not be encrypted. Since content filters can be activated on different mail policies, you can also activate any other policy type content filter you have for all your users on this outbound policy too. By default it will enherit AS and AV Scanning, so you should not have to add them. if you have done something that stops this, then, please enable AS and AV on the new mail policy too.
Now to deal with the users that are not in your encrypt LDAP group, and flagged/subject thier email for encryption
\[SEND SECURE\]
6. on your default outbound mail policy, create an new outbound mail content filter that has one conditions
6A Condition: "looks for your encrypt flag/subject"
6B First Action: if the flag/subject is found: Notify action -- notify the sender and the administrator--
6C Second Action: if the flag/subject is found: Bounce action -- this is final, and the email will be returned.
7. active your new content filter on the default 'catch all' outbound mail policy.
Submit and commit all your work a long the way.
you are done. I strongly advice you to test the steps with a couple of testing mail policies that only have IT guys in the them. once working, you can push the work to prod.
If you still want to do this via a message filter,
CLI -- filters-- new
you can use something like this:
====================================================
To_encrypt_NOT_encrypt:
if ((recv-listener == "InboundMail") AND (mail-from-dictionary-match("users_allow_encrypt")) AND (subject == "\\[SEND SECURE\\]"))
{
encrypt('encryption_profile');
}
else {
if ((subject == "\\[SEND SECURE\\]") AND (NOT mail-from-dictionary-match("users_allow_encrypt")))
{
notify("admin@domain.com, $EnvelopeSender");
bounce();
}
}
====================================================
cheers,
-Alvaro
06-10-2013 08:38 PM
Thanks Alvaro for your detailed comments. I agree LDAP is definitely a better choice, but due to some constraints in our environment, it does not work for us.
I'll consider your suggestion about The CLI approach.
Regards.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: