Thanks for attention and interest.

The body message has always to start by a classification marking. If not, the email has to be dropped.

Example:

Classification level (first line of the body message)

Cordially,

MXAdmin

In other words:

If (first line of body message = Classification 1) then accept message if not dropped it.

 Please have a look at my below Outlook screenshot:

have you looked this example :

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200147-How-to-Block-Content-Type-Based-Characte.html

Best practice :

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-content-filters.pdf

Dear community,

I would like to filter the e-mail body content, and allow (for delivery) only e-mails whom bear a classification markings on the first line (classification: confidential), and reject all the e-mails not compliant to this rule ?

Example 1: E-mail accepted (The following E-mail is compliant and will be processed (delivered))

1. Header...
2. Body
3. First line of the body = Classification: CONFIDENTIAL
4. ...

Example 2: The following E-mail is not compliant and will be rejected, sender notified

1. Header...
2. Body
3. First line of the body = Classification: ANYTHING ELSE
4. ...

Can someone help me with the best way to implement this filter ?

NOTE: Please, keep in mind the following:
I have several (list) classification markings.

If one of them is present in the first line of the e-mail body,

than the e-mail will be accepted,

if not (else) the e-mail will be rejected and the sender will be notified accordingly.

Cordially,

MX Admin.

Hi,

normally it should work with a messagefilter like:

if (body-contains("^Classification:Confidential", 1) or body-contains("^Classification: Classification1",1)){
log-entry("Classification found");
}
else{
drop()
}

You can add more and more "ors" here or you can build one if for every classification you have an an else with drop at the end.

Regards,

Tom

Thanks a lot, Tom.

You are correct. But "body-contains = " does not condition specifically "the first line of the body".

"body-contains =" means somewhere in the body-message.

If you know how and what to add to the the condition (for example "body-contains @FirstLine= classification1")...

Hello,

This is why Tom added in the caret (^) in the condition. Our filters use regular expression syntax, so ^ will signify the beginning of a line. Of course, you'll want to test to see if this will work to fit your needs.

I normally utilize something like RegEx101 to assist with building filters as it makes it pretty simple. You'll want to use Python flavor.

Thanks!

-Dennis M.

Dennis, thanks a lot !

I will check it, and test it, and i will let you know.

Regards,

mxadmin

Dear Dennis, dear Tom,

I've tried to go with the following, using CLI in Putty:

I've copy paste in Putty this:

Classification_rules
if
(body-contains("^Classification:Classification1", 1) or
body-contains("^Classification: Classification2",1)) or
body-contains("^Classification: Classification2",1))
{ log-entry("Classification found"); }
else
{ drop(); }  

.

WIthout success, unfortunatly.

I have set up a cluster, and i could not see my filter in the GUI.

Could you please tell what should I do with my filters, when using putty ?

Thanks a lot for your efforts.

Hello,

Messagefilters are never shown int the gui.
Create a messagefilter:

- Logon to esa via ssh

- call messagefilter: filters

- choose new

- Paste the messagefilter:

Classification_rules:if (body-contains("^Classification:Classification1", 1) or body-contains("^Classification: Classification2",1) or body-contains("^Classification: Classification2",1)){
 log-entry("Classification found");
} 
else{
 drop(); 
} 

- after the last "{" press enter for new line and finalize the messagefilter with "."

- Press enter until you are in "normal" command prompt (not in filter menu)

- Confirm via:commit

After this you should see the active messagefilter via filters --> list

Hope this helps.

Regards,

Tom

Thank you, Tom !

I wonder how to set those filters for incoming/outgoing ?

A last question, please, are they visible on the GUI (appearing in the "Incoming Content Filters" or "Outgoing Content Filters") ?

Best regards,

mxadmin

Hi,

they are not visible in Incoming or Outgoing Content Filters because they are no content filters but message filters.

Message filters are only accessible from the cli. They are triggered before the policy scanning starts (including the content filters).

If you want to set them for incoming or outoing you have to add some conditions to the messagefilter e.g.:

if(recv-listener == "OutboundMail") or if(recv-listener == "InboundMail")

Where "OutboundMail" or "InboundMail" is the name of your outgoing or incoming listeners.

Regards,

Tom