|Product Support||Talos Support||Cisco Support||Reference +||Current Release|
|Gateway||Reputation Lookup||Open a support case||Secure Email Guided Setup|
|Cloud Gateway||Email Status Portal||Support & Downloads||docs.ces.cisco.com|
|Email and Web Manager||Web & Email Reputation||Worldwide Contacts||Product Naming Quick Reference|
|Cloud Mailbox||Notification Service|
In our company we have some senders which hase some SPAM filters enabled on their mailboxes which means that our ESA Ironport as sender addresses sees something like this: firstname.lastname@example.org
We don't want to whitelist all domain, but just this one user mail address to go throught our filters.
Examples for Incoming mail policies shows only (e.g. email@example.com, user@, @example.com, @.example.com)
I have tried like *firstname.lastname@example.org but seems not working like that.
So does anyone have solution for this?
Can you please be more specific? Those addresses are modified by ESA using a feature called bounce verification:
If the sending domain also uses ESA, that's why you see those email with the prvs=6829960914 tag.
It's not exactly wise to skip spam based on a specific email address, although it's doable.
Usually, you skip spam engine before reaching Incoming Mail Policy, in HAT, by adding the sender domain or IP in a specific Sender Group that has attached a Mail Flow Policy that does not have SPAM engine enabled.
Still, going back to your scenario, have you tested your policy for let's say email sender email@example.com with only firstname.lastname@example.org in the Incoming Mail Policy?
I'm asking you this, because:
I expect 'prvs' email to be in Envelope Sender field but not in From header, so I guess it would work.
I will try to whitelist like this email@example.com with only firstname.lastname@example.org but I think I already tried it some time ago and it was still quarantined. Will let You know once get another mails from this affected sender.
To add - the prvs tagging is done by bounce verification - so as the email leaves your environment (assuming it's enabled) your environment will tag it - once the recipient replies; your device will strip (or should) strip the prvs tagging as it receives assuming it's a tagging your side did.
Now if the issue is this tag is done by another Cisco secure email customer and you're receiving it like this - you cannot strip the tagging as it's not your own tagging.
So to allow this email through and not get hit by quarantine - I would like to ask:
- Which quarantine is it matching? Is it anti-spam that flags it? or is it a content filter?
If it's anti-spam the only means that i can recommend is using a message filter which allows you to add the variables; incoming mail policies will match specific full usernames or domains only which as you shared is not ideal.
That means if you're on-prem just use the CLI and create a message filter to allow this email to skip anti-spam.
If you're on CES - you will need to either:
1) Get CLI access to your CES allocation and create the filter
2) Engage Cisco TAC to assist you in getting access/configuring the message filter with your consent.
A message filter could be:
if mail-from =="email@example.com"
Where the username is a contains rule and it should skip as long as this string is consistent.
If you use equals to then you need to have the prvs-tagging.
Thanks i hope this helps.
Thanks for Your input. Yes, this PRVS tag is done by other CISCO ESA and we are receiving email like this. And it is maching our Incoming mail policies - so Content filter.
It could be easily resolved, if there will be possibilty to use * to catch all string which are after this char.