cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
276
Views
0
Helpful
3
Replies
Highlighted
Beginner

How to selectively block internal users from receiving external emails

Hi,

 

I am facing an issue with ironport configuration. At the moment we are running a IT awareness program. When a user does not manage to finish this training program we are then blocking any external email comunication to such users.

For this i am using a content filters where as condition i use: rcpt-to-dictionary-match("IncompleteTraining_block", 1) a dictionary which is populated with all the emails of users in the company that has not completed the training. Then the action is notification of such action and the e-mail gets quarantined. This all work fine.

 

The issue comes into when there is a group email with many recipients (to: or cc:). In between them there could be one or more that are still in the dictionary but all even the ones that are not there (thus completed - should not be blocked) gets their email blocked. This creates lots of issues.

 

My question is, that would it be possible to have blocked emails solely to the recipients that are actually blocked in the dictionary or that would only be possible to be done in the exchange? I could not find this, in any help docs and tried different combination of filters but there arent such options. So i am not completely sure if it would be possible.

Any help would be appreciated!

 

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Collaborator

Re: How to selectively block internal users from receiving external emails

The issue you're having is because the incoming isn't splintered to be sent to separate recieveres until after the content filter is applied.



What you need to do is create a new incoming mail policy, with the "recipient" set to this group (which you can managed in AD, and use an LDAP lookup to resolve) and then apply the appropriate content filter.



You can get info on message splintering in the online help, Under Mail Polices/Message Splintering.

Or the docs here: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html#con_1121454




3 REPLIES 3
Collaborator

Re: How to selectively block internal users from receiving external emails

The issue you're having is because the incoming isn't splintered to be sent to separate recieveres until after the content filter is applied.



What you need to do is create a new incoming mail policy, with the "recipient" set to this group (which you can managed in AD, and use an LDAP lookup to resolve) and then apply the appropriate content filter.



You can get info on message splintering in the online help, Under Mail Polices/Message Splintering.

Or the docs here: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html#con_1121454




Beginner

Re: How to selectively block internal users from receiving external emails

Hi Ken,

 

Thanks for reply,

 

To make it completely clear, so what i should do is:

 

I have this scenarion. Joe@domain.com is blocked and is included in dictionary under the content filter for blocking incomplete training users he should also receive notification and email should be quarantined. And then we have also Alice@domain.com she is not in the dictionary list (has completed training).

So i will create a new policy, here i will create sender: any; recipient: Joe@domain.com (basically should match those in the dictionary) because i want this policy to get triggered only to him.

So next time when an email arrives for to: Alice@domain.com cc: Joe@domain.com. Email will arrive only to alice and joe will receive and email with notification and his email will be placed into quarantine?

 

Would this be the right approach?

 

Thanks

lc

Collaborator

Re: How to selectively block internal users from receiving external emails

Yes, that's the right approach.

Under Mail Policies/Incoming Mail Policies, create a new one.  Set the recipients to the list of users that are in your dictionary... though you may want to use an AD or LDAP group.

 

For this policy, you'll want the content filter to have NO lookup against the dictionary, that already happened when the mail hit this policy, no need to do the extra work of a dictionary match... and you don't want to have to manage this list of users in more than one place either.