Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
1
Helpful
5
Replies

Domain map wildcard/regex support

Go to solution
chasetan
Level 1
Level 1

‎03-20-2023 03:40 PM

Does the ESA support wilcard or regex domain maps?

We have requirement for the ESA to relay selected domains, and have everything else sent to a specific mailbox.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎03-21-2023 08:52 AM

I'm assuming you're talking about inbound mail...
For domains that you're accepting and sending on to your mail system (eg. Company.com, companyllc.com, company.co.uk), set up the domains under Mail Policies/Recipient Access Table as "Accept" and probably make sure LDAP accept queries are NOT bypassed, then go to Network/SMTP Routes and set those routes to for each domain to point at your mail servers.
For domains that you may take mail for but you want dumped in a single mailbox on your mail server (e.g. oldcompandomain.com) , I'd set them up in the Recipient Access Table with "Bypass LDAP Query" checked (assuming the addresses aren't in your LDAP anywhere), and then create a separate mail policy for these emails under Mail Policies/Incoming Mail Policies, and create a content filter that sends a BCC to oldcompanmailbox@company.com and then drops the incoming mail. Be careful as this rule would apply to ALL mail that hits this policy, so maybe start with quarantining it to make sure you got it right, then switch that to drop?
You could change the recipient, but I suspect you want to retain who is getting mail at the old domains.

View solution in original post

5 Replies 5

Go to solution
Ken Stieers
VIP
VIP

‎03-21-2023 08:52 AM

I'm assuming you're talking about inbound mail...
For domains that you're accepting and sending on to your mail system (eg. Company.com, companyllc.com, company.co.uk), set up the domains under Mail Policies/Recipient Access Table as "Accept" and probably make sure LDAP accept queries are NOT bypassed, then go to Network/SMTP Routes and set those routes to for each domain to point at your mail servers.
For domains that you may take mail for but you want dumped in a single mailbox on your mail server (e.g. oldcompandomain.com) , I'd set them up in the Recipient Access Table with "Bypass LDAP Query" checked (assuming the addresses aren't in your LDAP anywhere), and then create a separate mail policy for these emails under Mail Policies/Incoming Mail Policies, and create a content filter that sends a BCC to oldcompanmailbox@company.com and then drops the incoming mail. Be careful as this rule would apply to ALL mail that hits this policy, so maybe start with quarantining it to make sure you got it right, then switch that to drop?
You could change the recipient, but I suspect you want to retain who is getting mail at the old domains.

Go to solution
chasetan
Level 1
Level 1

‎03-21-2023 09:00 PM - edited ‎03-21-2023 09:02 PM

Hi Ken,

Actually this is for outbound mail. The use case is for a QA environment with live user data. What we'd like to happen is that when the ESA receives email for our internal domains (company.com), it will process them normally and send them to our mail servers.

When it receives anything we don't own (i.e. customer emails - gmail.com, yahoo.com, etc), we need to stop them from getting sent to the customer's actual address and instead rerout it into a mailbox on our internal domain (QA-mails@company.com.

I think you are on to something there with doing it via RAT, I just probably need to retool it to get it to do what I stated above.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to chasetan

‎03-22-2023 04:56 AM

Are the QA boxes relaying directly through the ESA?
0 Helpful

Go to solution
chasetan
Level 1
Level 1
In response to Ken Stieers

‎03-22-2023 02:22 PM

Yes.

BTW, your initial solution works. Probably just need to streamline a bit further.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to chasetan

‎03-22-2023 02:27 PM

Ok, cool.   Here's another way to do it from the point of view that the QA boxes are sending "outbound" mail to the outbound listener.

Assuming this is for your production ESAs, the outbound RAT may not help, you can’t really change the routing for “All other domains" without breaking mail delivery.

If all of the QA boxes are sending directly the ESA, under Network/Host Access Table, select your outbound listener, and create a new sender group (‘QABoxes’), with the IPs of your QA boxes in it.

The create a message filter (in the cli, not gui). 

QAmail:

If  (sendergroup == “QABoxes”)

{

    if (rctp-to != “company.com”)

    {

        Bcc(‘qa-mails@company.com);

        Drop():

    }

{

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents