Showing results for 
Search instead for 
Did you mean: 
Community Manager

Email Security Appliance- AMA

This topic is a chance to clarify your questions about Cisco Email Security Appliance (ESA) solutions

To participate in this event, please use the reply-button.pngbutton below to ask your questions

Ask questions from Wednesday, September 23 to Friday, October 02, 2020

Clear up all your Email Security Appliance doubts. Questions related to Security are welcome.
Email threats continue to present security challenges for all organizations. Cisco Email Security Appliance (ESA) is an email security gateway introduced by Cisco to provide a solution to these difficult challenges. Protect your email against today's threats and vulnerabilities, including: spam, phishing, compromised business email (BEC), malware, data loss, and ransomware, as well as the option to encrypt your most important information. And with the new normal, data is considered the most important asset of a company and a person, therefore a broad understanding of the ESA pipeline will provide us with the skills and tools to know how our email is processed and what they are the best setup practices.

Featured Experts
IMG_7224.JPG 2020-09-23 16.08.31.pngErika Valverde studied Communications and Electronics with a specialization in Control and Automation at the Instituto Politécnico Nacional (IPN) in Mexico City. She is currently an engineer at Cisco TAC. He has been working with security for 3 years and has the current CCNP Security certification among other related courses such as python, linux, virtualization, etc. She works on automation, content publishing, documentation and video initiatives for ESA technology. Among other things, she is vice president of public relations (PR) for the Cisco Toastmasters Club. She enjoys playing chess and finds the joy of working as a team.

For more information, visit the Email Security category.

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?  


**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Hi Stefan,

The suggestion is to use a message filter. According to the ESA pipeline, the verification occurs before the rest of the verifications, as we have shown:

Message filters -> Anti-Spam -> Anti-Virus -> AMP -> Content Filters -> Outbreak Filters

Taking the example you mention:


Homoglyph: (

A message filter can be configured as shown below:

if (mail-from == '(?i)(|||||$' )

The filter tells us that any match with any of the prime domains shown above will be notified and discarded. The regex can grow according to the domain and possible matches.

The information shared and the tests performed were verified from the devices in a specific lab environment, starting with a default one. If your network is active, make sure you understand the potential impact of any command when testing.

Our suggestion is always to keep a monitored change control. Hope this information is helpful. I share the following link where you can find more information about Message filters:



Community Manager

Hi Erika,

Thanks for this question and answer forum. I would like to know how many layers of authentication/verification does ESA has?

Regards. JMD

Note: This question is a translation of a post originally generated in French by JeanMD. It has been translated by the Cisco Community to share the question and solution in different languages.


Hi Jean,

Throughout the email processing, the email is being analyzed and verified, from the email input (start) to the email output (end). I would like to show email processing in three phases:

• Receipt - When the device connects to a remote host to receive incoming email, it adheres to configured limits and other receipt policies. For example, verify that the host can send mail to users, enforce limits on incoming messages and connections, and validate the recipient of the message.

• Work queue: the device processes incoming and outgoing mail, performing tasks such as filtering, safe / blocked list scanning, anti-spam and antivirus scanning, outbreak filtering, and quarantine.

• Delivery: As the device connects to send outgoing email, it adheres to configured delivery limits and policies.

In a generalized way, we could say that the verification is as follows:

IncomingEmail -> Reputation (SBRS / SDR / IPAS) -> HAT -> SPF / DKIM / DMARC -> RAT

Then according to the configuration of your box:

Message filters -> Anti-Spam -> Anti-Virus -> AMP -> Content Filters -> Outbreak Filters

I hope this information is useful for you. I leave you a link where the ESA pipeline is described in detail.

Community Manager


How can I control my mail flow from different domains and implement different security actions on them?


Note: This question is a translation of a post originally generated in French by AlainDC010 It has been translated by the Cisco Community to share the question and solution in different languages.


Hi Alain,
The ESA has the ability to configure actions according to both incoming and outgoing emails. There are two points from where you can take actions according to the domain you receive or send.

1. "Mail Flow Policies" - From here you can indicate mail flow limits, that is connections allowed per hour, spam detection, dkim and spf verification as well as the use of TLS. Then you create a sender group, and place the domains / IPs within it to be validated according to your configuration.

2. "Incoming Mail Flow Policies" and "message filters" - The message filter is a checkpoint just before the Incoming mail flow policies, everything you put in a message filter will be verified for your entire mail universe. Incoming Mail Flow Policies can be configured to match senders, recipients or a specific combination of both.
For example: to
When matching with these policies, different security actions can be configured in each of them, such as activating or deactivating tools such as Anti-Spam, AntiVirus, among others, or even setting specific configurations of the security tools as best. suit the needs of your organization.

Below you can find the documentation with a clearer and broader description:


Community Manager

Is mail flow affected by increasing defaults for scanned files larger than 2MB?

Note: This question is a translation of a post originally generated in Spanish by Didier M. It has been translated by the Cisco Community to share the question and solution in different languages.


Hi Didier,
To answer this question, it is necessary to take into account the recommended values ​​of each tool.
In this specific case, speaking of engines like AntiSpam and Outbreak filters, the recommended value for scanning is a maximum of 2MB, since it can affect the processing of messages because it would be occupying more device resources when scanning larger messages. In the case of File reputation, files larger than 50 MB may be treated as: unscannable.
These values ​​can change and as I have mentioned it will depend on the mail flow that passes through the ESA and also on its model, taking into account these parameters, it can be increased a little more than 2MB without affecting message processing, even up to 10MB as "never scan files larger than" value.

The suggested value is 2MB but if the needs of your organization require another configuration, the recommendation is to go with small changes, keeping track of changes and monitoring.

I leave you a link with more information about it:

There are more tools within the device going through the entire security pipeline (filters) that will help us prevent any threat. I invite you to consult this information within the configuration guide.



Community Manager

Hi Erika!

I have a question, regarding the control of e-mail traffic, what is the advantage or disadvantage of modifying the rate limit within pre-configured policies such as ACCEPT, THROTTLED, etc.?

Thank you!

Note: This question is a translation of a post originally created in Spanish by JoseAlvarado84102. It was translated by the Cisco Community to share the query and its solution in different languages.



Hello Jose,

The values ​​configured by default are proposed in order to avoid attacks such as Directory Harvest Attack, DoS, excess SPAM, among others. The rate limit gives you the margin of how much traffic you are allowing to pass through each message that matches a certain policy.

ESA> Mail Flow Policies> Mail policy (shared below): Rate Limit for Hosts

There are 4 mail flow policies defined by default in the public listeners

Each of them has different rate limit settings according to their level of reliability. If you manipulate these values ​​and fall into a "bad configuration" you can start losing legitimate emails that you want to receive and start seeing logs like:

Rejected by receiving controls

Too many connections from your host (external)

If for some reason, the default configuration does not meet the needs of your organization, the recommendation is to keep track of changes, make small changes and monitor your devices to customize these settings without falling into unexpected results.

I hope the information shared is helpful. To learn more about it, I share the following links:



Community Manager

Hi Erika,

I have one more question:

Can I receive alerts when an email is sent to quarantine?

Note: This question is a translation of a post originally generated in Portuguese by Olipo. It has been translated by the Cisco Community to share the question and solution in different languages.


Hello Olipo,

Yes, you can notify the people you want when an email is sent to quarantine. A very particular quarantine that has some default values ​​is the spam quarantine. So you will have to verify the settings of this quarantine independent of the actions that you configure for the rest (PVO).

Spam quarantine gives you the ability to send notifications every day at the same time to all end users, so also end users can release emails and customize their own spam mailing list (SLBL). On the other hand, for the rest of the custom quarantines (PVO) you will be able to decide who will be notified through the content filters. Unlike spam quarantine, users will not be able to access these messages even if they are notified.

I hope the information shared is helpful. I leave you the reference links for the quarantine configuration.


Community Manager

Hi Erika, a couple of questions ...

I understand that Email Security protects my mailboxes from all mail entering them.

Do you also inspect the mail that I send to avoid that due to some situation I send spam or even some malware or virus to other organizations?Can CES protect or inspect internal mail, that is, mail sent between users in the same organization?


Note: This question is a translation of a post originally generated in Spanish by iasJaimeAl. It has been translated by the Cisco Community to share the question and solution in different languages.


Hi Jamie,

Yes, the ESA device has the ability to inspect both inbound and outbound email through its settings of:

"Incoming mail policies"

"Outgoing mail policies"

In both you can create custom policies for certain users or domains and they go through the engines of:

Anti-spam, Anti-Virus, AMP, Graymail, Content Filters, OutbreakFilters and in the case of outbound policies, also accounts with DLP for the protection of personal data. In an outgoing email it is not necessary to activate all the engines, the protection is usually more robust at the entrance and it is suggested to use and verify TLS in your communication, to encrypt it and protect it between domains.

Answering your second question, generally CES and ESA are not suggested for handling internal traffic. These devices are thought more as an edge team that offers you robustness and protection with advanced tools that allow you to protect your domain from external attacks.

I share the guide with more detailed information about the configuration of incoming and outgoing policies:


Community Manager

Oi Erika ...

What is better? Traditional Licenses vs Smart Licenses?

Note: This question is a translation of a post originally written in Spanish by Didier M. It was translated by the Cisco Community to share questions and solutions in different languages.


Hi Didier,

Smart license is intended to enhance the customer experience on their journey through Cisco products. It seeks to simplify licensing tasks through a centralized and automated system. However, we must take into account for the ESA device that once the change from classic to smart license is made, there is no revert process. We can also incur different errors if we do not follow the established process for this change. So to get the most out of this experience I suggest taking a look at the guides and existing information before making the switch to a smart license.

I share a link with a video and a guide to make this change successfully.

As part of a series on the new features in AsyncOS 12.0 for Cisco Email Security, this video looks at the Smart Licensing feature. To learn more, visit http:...
Content for Community-Ad