Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8339
Views
15
Helpful
12
Replies

ESA - Tag body of emails EXTERNAL with exceptions

Go to solution
lsmarchig
Level 1
Level 1

‎01-02-2018 09:06 AM - edited ‎03-08-2019 07:30 PM

Hi,

 

I've found a few posts on adding external to subject line. I am able to also do the same to the body of the email using an incoming content filter with an action of Add Disclaimer Text. But is there a way to exclude a list of outside domains that we wouldn't want to apply this action too. I know you cannot perform a not condition on a dictionary using Content filters. Could you apply a not condition on a dictionary using message filters? Or is there another way of using a content filter to exclude these domains? Would i need to create a new incoming policy rule to exclude them?

 

thanks

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to dmccabej

‎01-03-2018 02:12 PM

Correct

Inserting a custom header breaks the SMIME encryption and signatures. There
is also an issue with certain ICAL messages so you might need to exclude
them as well. Just working on that issue as we speak.


View solution in original post

0 Helpful

Go to solution
AykutKurtay3707
Level 1
Level 1
In response to marc.luescherFRE

‎05-12-2020 01:32 PM

Hi All,

 

I am quite new to CES environment. I have via GUI applied a disclaimer however now we need to whitelist indeed some domains. 

when i see the solution below; I cannot get it configured on CLI as below. I login to CLI go to policyconfig -> Filters - > add new but it only walks me through same steps as in GUI. I do not see anywhere i can paste such a command. 

Can you Guru's sched some more light please? 

 

Thank you

A.Kurtay

 

 

Re: ESA - Tag body of emails EXTERNAL with exceptions

An example of what we use in production, on the CLI level :

 

CLITagExternalHeaderv4: if recv-listener == "InboundInterface" {
                            if NOT (header("X-IronPort-Filter") == "CLITagExternalHeader") {
                                if (NOT (attachment-filename == "smime.p7s")) OR (attachment-filename == "smime.p7m") {
                                    if NOT (mail-from-dictionary-match("WhiteListExternalTagging", 1)) {
                                        if NOT (mail-from-dictionary-match("OurownGroupDomains", 1)) {
                                            insert-header("X-IronPort-Filter", "CLITagExternalHeader");
                                            log-entry("CLITagExternalHeader");
                                            add-heading("External_Warning");
                                        }
                                    }
                                }
                            }
                        }

View solution in original post

12 Replies 12

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎01-02-2018 01:41 PM

An example of what we use in production, on the CLI level :

 

CLITagExternalHeaderv4: if recv-listener == "InboundInterface" {
                            if NOT (header("X-IronPort-Filter") == "CLITagExternalHeader") {
                                if (NOT (attachment-filename == "smime.p7s")) OR (attachment-filename == "smime.p7m") {
                                    if NOT (mail-from-dictionary-match("WhiteListExternalTagging", 1)) {
                                        if NOT (mail-from-dictionary-match("OurownGroupDomains", 1)) {
                                            insert-header("X-IronPort-Filter", "CLITagExternalHeader");
                                            log-entry("CLITagExternalHeader");
                                            add-heading("External_Warning");
                                        }
                                    }
                                }
                            }
                        }


Hope that gives you some ideas..

Go to solution
lsmarchig
Level 1
Level 1
In response to marc.luescherFRE

‎01-03-2018 07:52 AM

Thank you Marc, that is very helpful.

 

May i inquire why you exclude the secure mime attachments? Has it caused an issue adding in a header to these?

 

thanks

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to lsmarchig

‎01-03-2018 12:03 PM

Most likely because it's not recommend to modify any type of S/MIME signed and/or encrypted emails, as this can cause many different types of errors. It's typically recommended to bypass any sort of modifying filters for those.

 

Thanks!

-Dennis M.

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to dmccabej

‎01-03-2018 02:12 PM

Correct

Inserting a custom header breaks the SMIME encryption and signatures. There
is also an issue with certain ICAL messages so you might need to exclude
them as well. Just working on that issue as we speak.


0 Helpful

Go to solution
lsmarchig
Level 1
Level 1
In response to marc.luescherFRE

‎01-04-2018 10:01 AM

Thank you
0 Helpful

Go to solution
cyberurmel
Level 1
Level 1
In response to dmccabej

‎05-30-2022 03:56 AM

Hello, 

 

sorry for asking late .. 

As our internal security asked to add an Tag in the subject Line at beginning ..

example - [External Mail] OriginalText Subject Line 

and also in the body of the mail . But as you wrote there will be some problems with signed and encrypted mails. So what is here best Practice? Can they bypassed an how? 

So all unsingned / not encrypted   should have  [External Mail ] in Subject Line and also with a Text in Body .. ATTENTION and so on .. ,

and all signed /  encrypted  only to the subject line [External Mail] as this should not be a problem or`??

 

Thanks and Regards

 

 

 

 

0 Helpful

Go to solution
tom.marschner
Level 1
Level 1
In response to marc.luescherFRE

‎01-21-2019 02:17 PM

I'm curious what the function of the CLITagExternalHeader header is. Would you expect any inbound messages from outside to contain this header?

 

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to tom.marschner

‎01-23-2019 04:44 AM

We are adding an additional disclaimer on top of all messages which come from external and can not be DMARC validated as our own authorized senders.

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to marc.luescherFRE

‎01-23-2019 04:45 AM

This header is checked so we will not add the same disclaimer to a messages when it has multiple replies with external users.

0 Helpful

Go to solution
tom.marschner
Level 1
Level 1
In response to marc.luescherFRE

‎01-23-2019 11:01 AM

Thanks. Do you see this custom header being retained in replies/forwards? I don't see my custom headers surviving a reply from an external sender.

0 Helpful

Go to solution
PeterGr
Level 1
Level 1
In response to marc.luescherFRE

‎07-02-2020 06:37 AM

Hi Marc,

Can you tell me how you identify the message replies and exclude the EXTERNAL header from a message already containing the header? We want to place the header, but don't want it repeated on an email thread.

0 Helpful

Go to solution
AykutKurtay3707
Level 1
Level 1
In response to marc.luescherFRE

‎05-12-2020 01:32 PM

Hi All,

 

I am quite new to CES environment. I have via GUI applied a disclaimer however now we need to whitelist indeed some domains. 

when i see the solution below; I cannot get it configured on CLI as below. I login to CLI go to policyconfig -> Filters - > add new but it only walks me through same steps as in GUI. I do not see anywhere i can paste such a command. 

Can you Guru's sched some more light please? 

 

Thank you

A.Kurtay

 

 

Re: ESA - Tag body of emails EXTERNAL with exceptions

An example of what we use in production, on the CLI level :

 

CLITagExternalHeaderv4: if recv-listener == "InboundInterface" {
                            if NOT (header("X-IronPort-Filter") == "CLITagExternalHeader") {
                                if (NOT (attachment-filename == "smime.p7s")) OR (attachment-filename == "smime.p7m") {
                                    if NOT (mail-from-dictionary-match("WhiteListExternalTagging", 1)) {
                                        if NOT (mail-from-dictionary-match("OurownGroupDomains", 1)) {
                                            insert-header("X-IronPort-Filter", "CLITagExternalHeader");
                                            log-entry("CLITagExternalHeader");
                                            add-heading("External_Warning");
                                        }
                                    }
                                }
                            }
                        }

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents