From my tests and knowledge

el-hamras · ‎02-12-2015

We are activating TLS enforcement (STARTTLS) between our customer domain (@tls.customer.com) and their business partner (@tls.partner.com) on internet MTA (Cisco ESA C370 running AsyncOS 8.0.1-023)

Customer is managing their internal mail infrastructure and have user mail domains based on country. So for example user X in Switzerland will have sender address: X@ch.customer.com

My understanding is that their are using IQ Suite software to re-write sender address into X@tls.customer.com to be able to enforce TLS based on this domain.

So far so good until the business partner at receiving end mentioned that they receive reply-to: X@tls.customer.com but from: X@ch.customer.com

And this will interfere with the policy at their end that require both sender header fields to be the same.

My customer mentioned that they have modified both "From" and "Sender" fields using IQ Suite but somehow on our IronPort we are seeing both appears on "From":

From: <X@ch.customer.com>, <X@tls.customer.com>

And on message tracking I can see DKIM matching on X@ch.customer.com rather than on X@tls.customer.com

Message 218480027 (51299 bytes) from X@tls.customer.com ready.
10 Feb 2015 09:13:27 (GMT +01:00)    Message 218480027 matched per-recipient policy DEFAULT for outbound mail policies.
10 Feb 2015 09:13:27 (GMT +01:00)    Message 218480027 is not signed. No domain key profile matches X@ch.customer.com.
10 Feb 2015 09:13:27 (GMT +01:00)    Message 218480027 successfully signed. DKIM ch.customer.com-DKIM matched ch.customer.com.
10 Feb 2015 09:13:27 (GMT +01:00)    Message 218480027 queued for delivery.

So I suspect that customer internal mail still has X@ch.customer.com on "From" header and X@tls.customer.com on "Return-path" header.

The question is how can I modify "From" header to match that on "Return-path" before sending it to partner.

Appreciate the feeback.

Ken Stieers · ‎02-12-2015

Why are they rewriting addresses? just do it once for the country stuff...

If you want to enforce TLS outbound to a domain, just set it in Mail Policies/Destination Controls.

To force inbound email to use TLS, create a new policy under Mail Policies/Mail Flow Policies and set it to require TLS...

Go to Mail Policies/HAT Overview, create a new Sender group, tell it to use the new flow policy you created add the domain(s) you want to enforce TLS on.

You may need to set it to be earlier in the HAT, so that policy hits first, but you should be able to force it from your side.

el-hamras · ‎02-12-2015

Ken, thanks for your feedback.

Indeed it would've been easier at country domain level but due to some compliance it has to be between @tls.customer.com and @tls.partner.com and restricted to certain pre-defined users.

But the customer doesn't want to create specific user environment for this since this will require them to create new AD user, new email domain tls.customer.com, etc. And they're trying to make this simpler by allowing selected country user to send email "on-behalf" this tls.customer.com domain.

And I think this is where it goes wrong.

Mathew Huynh · ‎02-12-2015

From my tests and knowledge.

We cannot manipulate the From: header to use the variable of the return-path/envelope sender.

However if you know specifically what to re-write then we can specially re-write the From: header to a specific address.

This is done as;

Content filter or message filter condition set

Action would be:

insert-header("From", "address@domain.com")

This is all i can think of for this type of request

How to modify "From" header when certain condition met on "Return-Path" header