Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Force specific IP for a specific domain

Go to solution
Escimo
Level 1
Level 1

‎09-06-2022 03:19 AM - edited ‎09-06-2022 03:22 AM

Hello,

In order to increase security for a specific domain, we need to restrict email sending from sender@example.com to only be able to send us emails from IP xyz. Is this possible using Ironport/ESA?

We usually rely on DMARC with DKIM and SPF alignment, but in this case we cannot.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andres Vega
Cisco Employee
Cisco Employee

‎09-06-2022 06:38 AM - edited ‎09-06-2022 06:40 AM

 

You can configure a message filter to drop the messages when the remote IP address of sender@example.com is not the one you are expecting from. 

MF_Example:
 if (mail-from == "sender@example.com") AND ((not(remote-ip == "192.168.10.10")) { drop(); }

 

MF_Example:
 if (mail-from == "sender@example.com") AND (remote-ip != "192.168.10.10")) { drop(); }

if there's more than one IP address, then you can have multiple ways to do it, I like the approach of creating a Sender Group and adding the IP addresses and later using the "sendergroup" rule to drop the message if the sender IP address is not matching the SG you created for that sender.

MF_Example:
if (mail-from == "sender@example.com") AND ((not(sendergroup == "3RDPARTY")) { drop(); }

As Ken mentioned in his reply, once the message is dropped by the ESA the sender side, cannot retry so the best option is to agree with them on sending the messages from some specific IP addresses, and at the same time deploy filters or other mechanisms on your side to make sure messages from that sender are coming from the agreed IP addresses.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎09-06-2022 04:31 AM

You can't force it, you can only decide to drop mail from that doamin that didnt come from a specific IP, and there is no mechanism to tell the remote system to resend/retry.

The ESA doesn't give you the option of making that decision until the message is in the work queue, so the sending system has sent it, it has completed its part of the transaction.

Put yourself in the sending systems shoes... how would their system tell yours to only send via a specific IP?

You can call them/email and come to an agreement for them to do that... maybe?

0 Helpful

Go to solution
Andres Vega
Cisco Employee
Cisco Employee

‎09-06-2022 06:38 AM - edited ‎09-06-2022 06:40 AM

 

You can configure a message filter to drop the messages when the remote IP address of sender@example.com is not the one you are expecting from. 

MF_Example:
 if (mail-from == "sender@example.com") AND ((not(remote-ip == "192.168.10.10")) { drop(); }

 

MF_Example:
 if (mail-from == "sender@example.com") AND (remote-ip != "192.168.10.10")) { drop(); }

if there's more than one IP address, then you can have multiple ways to do it, I like the approach of creating a Sender Group and adding the IP addresses and later using the "sendergroup" rule to drop the message if the sender IP address is not matching the SG you created for that sender.

MF_Example:
if (mail-from == "sender@example.com") AND ((not(sendergroup == "3RDPARTY")) { drop(); }

As Ken mentioned in his reply, once the message is dropped by the ESA the sender side, cannot retry so the best option is to agree with them on sending the messages from some specific IP addresses, and at the same time deploy filters or other mechanisms on your side to make sure messages from that sender are coming from the agreed IP addresses.

 

0 Helpful

Go to solution
Escimo
Level 1
Level 1
In response to Andres Vega

‎09-07-2022 01:15 AM

Thanks for an excellent answer. I will try this solution, seems like it will work. 

The specific SMTP servers are of course agreed upon already. 

0 Helpful
Customers Also Viewed These Support Documents