Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3796
Views
0
Helpful
5
Replies

ESA Iron port: Whitelist senders with PRVS enabled on their mailboxes

kajinssa
Level 1
Level 1

‎07-14-2021 02:56 AM

Hello all, 

 

In our company we have some senders which hase some SPAM filters enabled on their mailboxes which means that our ESA Ironport as sender addresses sees something like this: prvs=6829960914=name.surname@domain.com 

We don't want to whitelist all domain, but just this one user mail address to go throught our filters. 

Examples for Incoming mail policies shows only (e.g. user@example.com, user@, @example.com, @.example.com) 

I have tried like *name.surname@domain.com but seems not working like that. 

 

So does anyone have solution for this? 

 

Thanks. 

 

Labels:
0 Helpful
5 Replies 5

Octavian Szolga
Level 4
Level 4

‎07-15-2021 02:40 PM - edited ‎07-21-2021 11:03 PM

Hi,

Can you please be more specific? Those addresses are modified by ESA using a feature called bounce verification:

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-destination-control-and-bounce.pdf

 

If the sending domain also uses ESA, that's why you see those email with the prvs=6829960914 tag.

It's not exactly wise to skip spam based on a specific email address, although it's doable.

Usually, you skip spam engine before reaching Incoming Mail Policy, in HAT, by adding the sender domain or IP in a specific Sender Group that has attached a Mail Flow Policy that does not have SPAM engine enabled.

 

Still, going back to your scenario, have you tested your policy for let's say email sender prvs=6829960914=name.surname@domain.com  with only name.surname@domain.com in the Incoming Mail Policy?

I'm asking you this, because:

 

  • Sender address matches:
    • Envelope Sender (RFC821 MAIL FROM address)
    • Address found in the RFC822 From: header
    • Address found in the RFC822 Reply-To: header

I expect 'prvs' email to be in Envelope Sender field but not in From header, so I guess it would work.

 

BR,

Octavian

 

 

BR,
Octavian

0 Helpful

kajinssa
Level 1
Level 1
In response to Octavian Szolga

‎07-16-2021 01:25 AM

Hello, 

 

I will try to whitelist like this prvs=6829960914=name.surname@domain.com  with only  name.surname@domain.com but I think I already tried it some time ago and it was still quarantined. Will let You know once get another mails from this affected sender. 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to kajinssa

‎07-21-2021 10:29 PM

Hello Kajinssa,

 

To add - the prvs tagging is done by bounce verification - so as the email leaves your environment (assuming it's enabled) your environment will tag it - once the recipient replies; your device will strip (or should) strip the prvs tagging as it receives assuming it's a tagging your side did.

 

Now if the issue is this tag is done by another Cisco secure email customer and you're receiving it like this - you cannot strip the tagging as it's not your own tagging.

 

So to allow this email through and not get hit by quarantine - I would like to ask:

- Which quarantine is it matching? Is it anti-spam that flags it? or is it a content filter?

 

 

If it's anti-spam the only means that i can recommend is using a message filter which allows you to add the variables; incoming mail policies will match specific full usernames or domains only which as you shared is not ideal.

 

That means if you're on-prem just use the CLI and create a message filter to allow this email to skip anti-spam.

If you're on CES - you will need to either:

 

1) Get CLI access to your CES allocation and create the filter

2) Engage Cisco TAC to assist you in getting access/configuring the message filter with your consent.

 

A message filter could be:

Bypass_spam_user:

if mail-from =="username@domain.com"

{

skip-spamcheck();

}

.

 

Where the username is a contains rule and it should skip as long as this string is consistent.

If you use equals to then you need to have the prvs-tagging.

 

Thanks i hope this helps.

 

Regards,

Mathew

0 Helpful

kajinssa
Level 1
Level 1
In response to Mathew Huynh

‎07-22-2021 12:01 AM

Hello Mathew, 

 

Thanks for Your input. Yes, this PRVS tag is done by other CISCO ESA and we are receiving email like this. And it is maching our Incoming mail policies - so Content filter. 

It could be easily resolved, if there will be possibilty to use * to catch all string which are after this char. 

 

Thanks. 

0 Helpful

kajinssa
Level 1
Level 1
In response to kajinssa

‎07-30-2021 04:46 AM

Hello @Octavian Szolga , 

So I tried to whitelist just  name.surname@domain.com but ESA ignore it, if sender address have this prvs tag at the begginning. 

0 Helpful
Customers Also Viewed These Support Documents