How to bypass CRES if TLS Required is setup

jwiegert1 · ‎03-23-2012

Does anyone know how to bypass CRES if TLS Required is setup. We setup a rule:

Condition: Envelope Recipient rcpt-to-dictionary-match("TLSRequired_Exception_Domains", 1)

Action: Final Encrypt and Deliver Now (Final Action) encrypt ("CiscoRes", "$Subject", 1)

Part of the option, you can use: Only use message encryption if TLS fails

The problem with this rule, is the Envelope Recipient says: "If a message has multiple recipients, only one recipient has to match for the specified action to affect the message to all recipients".

We did not realize that and when two emails from different domains are added, then we have issues. Ex. The one with TLS required works great, but if an email is on there that is not TLS required, then they will automatically go CRES.

BTW: We need this for Postini users since we are having issues with the CRES encryption.

tgolson · ‎05-02-2012

Are you using a message filter or a content filter?

bfaynebfayne · ‎05-04-2012

It depends on what you want to do.

If you just want to force TLS for some domains you can put them in destination controls as TLS Required. Then if there is a failure with TLS the message goes back into the queue just like the remote host was down. That does not require a content filter because destination controls happens last.

If you want to use different policies based on recipient domain you need to use message splintering. In order to do message splintering you will need to use a separate outgoing message policy with a list of recipient domains. I don't believe that can use a dictionary. You will need to paste the list of domains in the form "@domain" or use an LDAP query.

Then you can activate content filters on each policy as needed. If the CRES content filter is not active for that policy, CRES will not be used.