cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1055
Views
0
Helpful
5
Replies
kajinssa
Beginner

ESA Iron port: Whitelist senders with PRVS enabled on their mailboxes

Hello all, 

 

In our company we have some senders which hase some SPAM filters enabled on their mailboxes which means that our ESA Ironport as sender addresses sees something like this: prvs=6829960914=name.surname@domain.com 

We don't want to whitelist all domain, but just this one user mail address to go throught our filters. 

Examples for Incoming mail policies shows only (e.g. user@example.com, user@, @example.com, @.example.com) 

I have tried like *name.surname@domain.com but seems not working like that. 

 

So does anyone have solution for this? 

 

Thanks. 

 

5 REPLIES 5
Octavian Szolga
Participant

Hi,

Can you please be more specific? Those addresses are modified by ESA using a feature called bounce verification:

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-destination-control-and-bounce.pdf

 

If the sending domain also uses ESA, that's why you see those email with the prvs=6829960914 tag.

It's not exactly wise to skip spam based on a specific email address, although it's doable.

Usually, you skip spam engine before reaching Incoming Mail Policy, in HAT, by adding the sender domain or IP in a specific Sender Group that has attached a Mail Flow Policy that does not have SPAM engine enabled.

 

Still, going back to your scenario, have you tested your policy for let's say email sender prvs=6829960914=name.surname@domain.com  with only name.surname@domain.com in the Incoming Mail Policy?

I'm asking you this, because:

 

  • Sender address matches:
    • Envelope Sender (RFC821 MAIL FROM address)
    • Address found in the RFC822 From: header
    • Address found in the RFC822 Reply-To: header

I expect 'prvs' email to be in Envelope Sender field but not in From header, so I guess it would work.

 

BR,

Octavian

 

 

BR,
Octavian

Hello, 

 

I will try to whitelist like this prvs=6829960914=name.surname@domain.com  with only  name.surname@domain.com but I think I already tried it some time ago and it was still quarantined. Will let You know once get another mails from this affected sender. 

Hello Kajinssa,

 

To add - the prvs tagging is done by bounce verification - so as the email leaves your environment (assuming it's enabled) your environment will tag it - once the recipient replies; your device will strip (or should) strip the prvs tagging as it receives assuming it's a tagging your side did.

 

Now if the issue is this tag is done by another Cisco secure email customer and you're receiving it like this - you cannot strip the tagging as it's not your own tagging.

 

So to allow this email through and not get hit by quarantine - I would like to ask:

- Which quarantine is it matching? Is it anti-spam that flags it? or is it a content filter?

 

 

If it's anti-spam the only means that i can recommend is using a message filter which allows you to add the variables; incoming mail policies will match specific full usernames or domains only which as you shared is not ideal.

 

That means if you're on-prem just use the CLI and create a message filter to allow this email to skip anti-spam.

If you're on CES - you will need to either:

 

1) Get CLI access to your CES allocation and create the filter

2) Engage Cisco TAC to assist you in getting access/configuring the message filter with your consent.

 

A message filter could be:

Bypass_spam_user:

if mail-from =="username@domain.com"

{

skip-spamcheck();

}

.

 

Where the username is a contains rule and it should skip as long as this string is consistent.

If you use equals to then you need to have the prvs-tagging.

 

Thanks i hope this helps.

 

Regards,

Mathew

Hello Mathew, 

 

Thanks for Your input. Yes, this PRVS tag is done by other CISCO ESA and we are receiving email like this. And it is maching our Incoming mail policies - so Content filter. 

It could be easily resolved, if there will be possibilty to use * to catch all string which are after this char. 

 

Thanks. 

Hello @Octavian Szolga , 

So I tried to whitelist just  name.surname@domain.com but ESA ignore it, if sender address have this prvs tag at the begginning.