To participate in this event, please use the button below to ask your questions
Ask questions from Wednesday, September 23 to Friday, October 02, 2020
For more information, visit the Email Security category.
What do Active Recipients mean?
Note: This question is a translation of a post originally generated in Spanish by Didier M. It has been translated by the Cisco Community to share the question and solution in different languages.
The active recipients option within the ESA allows you to view the message queue by delivery hosts, that is, it will give you an overview of the messages waiting to be delivered by domain. This information can be accessed through the CLI connection, with the command: tophost> active recipients.
The tophost command is quite useful, since it will allow you to review, in addition to the messages that are pending to be delivered (Active recipients), the domains that are unreachable or down.
Hope this information is helpful. I share the link with information regarding email delivery, verification and monitoring:
How can I protect myself from attacks on my domain?
Note: This question is a translation of a post originally generated in French by Nono82. It has been translated by the Cisco Community to share the question and solution in different languages.
Excellent question, Cisco ESA offers a layered protection model, which allows us to protect our domain from various types of attacks. I would like to divide the answer as follows:
1- SMTP Server- Cisco ESA protects us against
-Directory Harvest attack
-IPs & Fictitious or disreputable domains
-Phishing & spoofing (DMARC, DKIM and SPF)
2-Mail processing (workqueue) - ESA engines perform a verification of the content of the mail, from the headers, attachments, and the body / content of the mail. (Antispam, AntiVirus, Graymail detection, Content filters, Data Loss prevention for outgoing emails, Outbreak filters)
3- SMTP Client - At this point we find the dkim signatures, email encryption for sensitive data, and limits for outgoing emails.
Hope this information is helpful. Remember that the ESA offers information and domain protection for incoming and outgoing mail. I share the configuration guide in the current version of the equipment:
Is there something in the ESA configuration that helps us manage and control the attachments with internal URLs?
Note: This question is a translation of a post originally generated in Portuguese by Olipo. It has been translated by the Cisco Community to share the question and solution in different languages.
In short, Cisco ESA provides us with a very useful function called "URL filtering". It is activated from: ESA -> Security Services -> URL Filtering
And for its proper functioning it requires the activation of Outbreak filters: Security Services -> Outbreak Filters
The URL filtering function is very extensive, it allows you to validate the URLs that have been entered in each email, know which are the URLs that have been clicked by user and make a scan of these in the body of the email as well as in email attachments.
As of ESA version 11.1 URL scanning in attachments is available. You can configure your device to search for URLs in message attachments and perform configured actions on those messages.
I share two links that may be useful for the configuration of this feature:
I have a query, I have a WSA (Web Security Appliance) which I have activated because it was completely deactivated, I already configured the administration part of the device, etc. I suffered a lot in the part of the wccp but it is already configured only with a problem, when I configure the wccp with ports 80 and 443 for an ID 90 and then the web proxy with the same ports all the traffic reaches the WSA but does not go to the internet , that is, the users of my LAN surf the web but do not have answers from the pages, to fix that configure the part of the https proxy server in which I had to place an auto-generated certificate and with that configuration the users could already access the web pages but with a detail, the pages are shown as unsafe, bone manually, they have to place advanced settings and enter anyway so that the web page just opens but not in all the pages, but in most, my first query Is it can be configured without using the https proxy server so that all the navigation of the web pages comes out normally? In case you have to use the https proxy server configuration, is the issue that some pages appear to me that they are not secure is a problem because of my certificate that is autogenerated? I have to buy a certificate? Or is it a configuration x there of the threshold or something like that that is making some pages come out safe and others not?
Note: the pages that are not secure are completely secure pages, from a couple of newspapers in my country, from some pages from national institutions in my country, something that in any browser would have no problem.
Generating a certificate generally means that the client's browser will complain about the certificate for every connection to an HTTPS website. To avoid this, you can upload a certificate file and its corresponding private key file to the device if you have a certificate that is trusted by your organization. If users already have this certificate loaded on their machines, the HTTPS proxy will not generate errors related to UnknownCertificate Authority.
As a second option, instead of adding a company root certificate to the WSA, another option is to inform users in the organization to accept the root certificate provided by the WSA as a trusted source.
I share a Best practices guide for the product, hoping they will be useful for you:
Hello, thank you very much for your answer, I still have some doubts, when you tell me ... you can upload a certificate file and its corresponding private key file on the device if you have a certificate that is trusted by your organization ... you mean a private certificate (bought) that my organization buys a certificate and the certificate to place it in the WSA? If so, is there any way that my LAN users no longer see an unsecured page without having to buy a said certificate? any special policy? something in the settings?
Dear, I managed to solve my problem, the issue was going through the reputation part of the policies on the web, that's why the unsafe thing came out, the threshold was adjusted and the problem was fixed.
Thank you very much for your help.
Is the ESA able to verify and scan the files attached to an email that is compressed?
Note: This question is a translation of a post originally generated in Spanish by jossanc3. It has been translated by the Cisco Community to share the question and solution in different languages.
Thank you for your participation in this forum. I confirm that yes, the ESA is capable of verifying and scanning attached files. You can verify a zip, or a zip within another zip, etc. The antivirus component has an online decompressor to scan compressed files. As well as the content filters tool, which helps us analyze the content of the files which will take an action if they contain a file that matches the configured rule.
Hope this information is helpful.
I share the following links where you can find more information about it:
Virus Detection Engine:
Content Filter Actions:
what would you recommend to detect and reject/drop messages with envelope sender and/or from header contains cousin domain with homoglyph?
Homoglyph: mýdomain.com (xn--mdomain-v2a.com)
Is it better to detect it by message filter or by content filter?
Should I use a dictionary or should the REGEX directly typed in the conditions?