Thanks for the tips.

As i understand this filters are separate from the GUI content filters for incoming and outgoing mail?

If i make this rules via CLI how can i see them in GUI ?

Hi,

These rules will only be visible/editable via CLI of the ESA appliance. You can only see the hit counts of the message filters via GUI by going to Monitor-->Message Filters.

Cheers,
Pratham

Can you tell why rule for big mails: ex.

AllowBigMails:
if ((mail-from == '(?i)tester@dlp.hr') AND (body-size > 10M)){
deliver();
}

 

is not working ?

I get reply

Error Type: SMTP
Remote server (10.1.1.20) issued an error.
hMailServer sent: .
Remote server replied: 552 #5.3.4 message size exceeds limit
The message size is set to 10 MB by default.

Hi there,

 

I am suspecting that your default mail flow policy specifies a max message size of 10 MB (Mail Flow Policy, Default settings, connection, Max Mail Size).

 

A message filter will only action on emails which have passed the mail flow policy. If you need to allow > 10 MB then you would need to increase the value and turn your filter logic around and block > 10 MB for every other sender.

 

I hope that helps

 

-Marc

You are right i am using default value of 10 MB.

Can you give me example how to make exception if i increase max value to 50 MB and for most users to send max will be 7 MB and for certain senders above 10 MB ?

Thanks.

You have multiple options and all depends on how many users you are having.

 

For a small user basis or to get started quickly:

 

a) create a dictionaries with all user not allowed for 10 MB emails

     Enter the firstname.lastname@domain.com email address of authorized users, line break for second user etc.

 

b) create a content filter like

    GUI_Block_LargeFile

 

    if   Message Size                     body-size > 7340032     

         Envelope Recipient            rcpt-to-dictionary-match("Users7MBLimit",1)

         Make sure to select apply rule Only if all conditions match

 

        Quarantine                          quarantine("Policy")

 

  c) Submit

  d) Activate content filter in default mail policy.

 

  This will work, should your Ironports be connected to your LDAP or AD directory you could also create a group there and modify the filter to do a LDAP group lookup for membership instead.

 

I hope that gets you started.

 

-Marc

Adding onto of Marc's comments;

If you have set the limit on mail flow policies to 50MB (please only do this for certain mail flow policies / sendergroups or you may open your device to some trouble down the line).

You can create a message filter (i would prefer this over content filter simply because we can enforce it earlier before subjecting the email to further scans) to use of a rule for the domains which you trust and want to allow big sized emails to be put through, where every other sender domain will be dropped.

EG:

You want to allow @cisco.com to send 50mb only, everyone else should be dropped.

Filter_rule:
if mail-from != @cisco\\.com
{
if body-size > 7340032
{
drop();
}
}
.

This means, if the sender is NOT @cisco.com and it's larger than a restricted size, drop it. (this is a silent drop so senders will not know their emails got dropped, you can change this accordingly if required).

Alternatively - if the domains you trust, you know their mail server information, a better option is to create a new mail flow policy which allows 50MB; apply it to a special sendergroup for large_emails
Then within this sendergroup, insert the IP of the sending host or partial hostnames if they have multiple servers used to connect to your ESA.

Last thing to note.
You can set a limit to 10MB for example, but this 10MB also includes the MIME inflation.
So an email of 10MB may have a MIME inflation that pushes it to 13.4MB and gets rejected by the ESA.

What this means is a 50MB limit on the mail flow policy, may allow emails in actual size of 33MB (accounting for approx 34% MIME inflation).

Regards,
Mathew