09-23-2020 02:24 PM - last edited on 01-22-2021 11:40 AM by Jimena Saez
To participate in this event, please use the button below to ask your questions
Ask questions from Wednesday, September 23 to Friday, October 02, 2020
For more information, visit the Email Security category.
09-28-2020 07:19 AM
Hi Stefan,
The suggestion is to use a message filter. According to the ESA pipeline, the verification occurs before the rest of the verifications, as we have shown:
Message filters -> Anti-Spam -> Anti-Virus -> AMP -> Content Filters -> Outbreak Filters
Taking the example you mention:
Sample: mydomain.com
Homoglyph: mydomain.com (xn--mdomain-v2a.com)
A message filter can be configured as shown below:
if (mail-from == '(?i)(mydominio.com|mydomynio.com|mydomynyo.com|myd0minio.com|myd0mini0.com|myd0myny0.com)$' ) { notify('stefan@stefandomain.com'); drop(); }
The filter tells us that any match with any of the prime domains shown above will be notified and discarded. The regex can grow according to the domain and possible matches.
The information shared and the tests performed were verified from the devices in a specific lab environment, starting with a default one. If your network is active, make sure you understand the potential impact of any command when testing.
Our suggestion is always to keep a monitored change control. Hope this information is helpful. I share the following link where you can find more information about Message filters:
Regards,
Erika
09-25-2020 10:09 AM
Hi Erika,
Thanks for this question and answer forum. I would like to know how many layers of authentication/verification does ESA has?
Regards. JMD
Note: This question is a translation of a post originally generated in French by JeanMD. It has been translated by the Cisco Community to share the question and solution in different languages.
09-28-2020 07:20 AM
Hi Jean,
Throughout the email processing, the email is being analyzed and verified, from the email input (start) to the email output (end). I would like to show email processing in three phases:
• Receipt - When the device connects to a remote host to receive incoming email, it adheres to configured limits and other receipt policies. For example, verify that the host can send mail to users, enforce limits on incoming messages and connections, and validate the recipient of the message.
• Work queue: the device processes incoming and outgoing mail, performing tasks such as filtering, safe / blocked list scanning, anti-spam and antivirus scanning, outbreak filtering, and quarantine.
• Delivery: As the device connects to send outgoing email, it adheres to configured delivery limits and policies.
In a generalized way, we could say that the verification is as follows:
IncomingEmail -> Reputation (SBRS / SDR / IPAS) -> HAT -> SPF / DKIM / DMARC -> RAT
Then according to the configuration of your box:
Message filters -> Anti-Spam -> Anti-Virus -> AMP -> Content Filters -> Outbreak Filters
I hope this information is useful for you. I leave you a link where the ESA pipeline is described in detail.
09-28-2020 04:41 PM
How can I control my mail flow from different domains and implement different security actions on them?
Alain
Note: This question is a translation of a post originally generated in French by AlainDC010 It has been translated by the Cisco Community to share the question and solution in different languages.
10-01-2020 07:06 AM
Hi Alain,
The ESA has the ability to configure actions according to both incoming and outgoing emails. There are two points from where you can take actions according to the domain you receive or send.
1. "Mail Flow Policies" - From here you can indicate mail flow limits, that is connections allowed per hour, spam detection, dkim and spf verification as well as the use of TLS. Then you create a sender group, and place the domains / IPs within it to be validated according to your configuration.
2. "Incoming Mail Flow Policies" and "message filters" - The message filter is a checkpoint just before the Incoming mail flow policies, everything you put in a message filter will be verified for your entire mail universe. Incoming Mail Flow Policies can be configured to match senders, recipients or a specific combination of both.
For example:
user1@domain1.com to user2@domain2.com
When matching with these policies, different security actions can be configured in each of them, such as activating or deactivating tools such as Anti-Spam, AntiVirus, among others, or even setting specific configurations of the security tools as best. suit the needs of your organization.
Below you can find the documentation with a clearer and broader description:
Regards
09-29-2020 07:20 AM
Is mail flow affected by increasing defaults for scanned files larger than 2MB?
Note: This question is a translation of a post originally generated in Spanish by Didier M. It has been translated by the Cisco Community to share the question and solution in different languages.
10-01-2020 07:07 AM
Hi Didier,
To answer this question, it is necessary to take into account the recommended values of each tool.
In this specific case, speaking of engines like AntiSpam and Outbreak filters, the recommended value for scanning is a maximum of 2MB, since it can affect the processing of messages because it would be occupying more device resources when scanning larger messages. In the case of File reputation, files larger than 50 MB may be treated as: unscannable.
These values can change and as I have mentioned it will depend on the mail flow that passes through the ESA and also on its model, taking into account these parameters, it can be increased a little more than 2MB without affecting message processing, even up to 10MB as "never scan files larger than" value.
The suggested value is 2MB but if the needs of your organization require another configuration, the recommendation is to go with small changes, keeping track of changes and monitoring.
I leave you a link with more information about it:
There are more tools within the device going through the entire security pipeline (filters) that will help us prevent any threat. I invite you to consult this information within the configuration guide.
Regards,
Erika
09-30-2020 07:18 AM
Hi Erika!
I have a question, regarding the control of e-mail traffic, what is the advantage or disadvantage of modifying the rate limit within pre-configured policies such as ACCEPT, THROTTLED, etc.?
Thank you!
Note: This question is a translation of a post originally created in Spanish by JoseAlvarado84102. It was translated by the Cisco Community to share the query and its solution in different languages.
10-01-2020 07:08 AM
Hello Jose,
The values configured by default are proposed in order to avoid attacks such as Directory Harvest Attack, DoS, excess SPAM, among others. The rate limit gives you the margin of how much traffic you are allowing to pass through each message that matches a certain policy.
ESA> Mail Flow Policies> Mail policy (shared below): Rate Limit for Hosts
There are 4 mail flow policies defined by default in the public listeners
ACCEPTED
BLOCKED
THROTTLED
TRUSTED
Each of them has different rate limit settings according to their level of reliability. If you manipulate these values and fall into a "bad configuration" you can start losing legitimate emails that you want to receive and start seeing logs like:
Rejected by receiving controls
Too many connections from your host (external)
If for some reason, the default configuration does not meet the needs of your organization, the recommendation is to keep track of changes, make small changes and monitor your devices to customize these settings without falling into unexpected results.
I hope the information shared is helpful. To learn more about it, I share the following links:
Greetings,
10-01-2020 07:00 AM
Hi Erika,
I have one more question:
Can I receive alerts when an email is sent to quarantine?
Note: This question is a translation of a post originally generated in Portuguese by Olipo. It has been translated by the Cisco Community to share the question and solution in different languages.
10-02-2020 06:38 AM
Hello Olipo,
Yes, you can notify the people you want when an email is sent to quarantine. A very particular quarantine that has some default values is the spam quarantine. So you will have to verify the settings of this quarantine independent of the actions that you configure for the rest (PVO).
Spam quarantine gives you the ability to send notifications every day at the same time to all end users, so also end users can release emails and customize their own spam mailing list (SLBL). On the other hand, for the rest of the custom quarantines (PVO) you will be able to decide who will be notified through the content filters. Unlike spam quarantine, users will not be able to access these messages even if they are notified.
I hope the information shared is helpful. I leave you the reference links for the quarantine configuration.
Greetings,
10-02-2020 06:42 AM
Hi Erika, a couple of questions ...
I understand that Email Security protects my mailboxes from all mail entering them.
Do you also inspect the mail that I send to avoid that due to some situation I send spam or even some malware or virus to other organizations?Can CES protect or inspect internal mail, that is, mail sent between users in the same organization?
Greetings,
Note: This question is a translation of a post originally generated in Spanish by iasJaimeAl. It has been translated by the Cisco Community to share the question and solution in different languages.
10-02-2020 06:44 AM
Hi Jamie,
Yes, the ESA device has the ability to inspect both inbound and outbound email through its settings of:
"Incoming mail policies"
"Outgoing mail policies"
In both you can create custom policies for certain users or domains and they go through the engines of:
Anti-spam, Anti-Virus, AMP, Graymail, Content Filters, OutbreakFilters and in the case of outbound policies, also accounts with DLP for the protection of personal data. In an outgoing email it is not necessary to activate all the engines, the protection is usually more robust at the entrance and it is suggested to use and verify TLS in your communication, to encrypt it and protect it between domains.
Answering your second question, generally CES and ESA are not suggested for handling internal traffic. These devices are thought more as an edge team that offers you robustness and protection with advanced tools that allow you to protect your domain from external attacks.
I share the guide with more detailed information about the configuration of incoming and outgoing policies:
Regards,
10-02-2020 08:18 AM
Oi Erika ...
What is better? Traditional Licenses vs Smart Licenses?
Note: This question is a translation of a post originally written in Spanish by Didier M. It was translated by the Cisco Community to share questions and solutions in different languages.
10-05-2020 07:59 AM
Hi Didier,
Smart license is intended to enhance the customer experience on their journey through Cisco products. It seeks to simplify licensing tasks through a centralized and automated system. However, we must take into account for the ESA device that once the change from classic to smart license is made, there is no revert process. We can also incur different errors if we do not follow the established process for this change. So to get the most out of this experience I suggest taking a look at the guides and existing information before making the switch to a smart license.
I share a link with a video and a guide to make this change successfully.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide