09-14-2023 07:08 AM
We have whitelisted the domain but it's still getting caught in the email filter.
The email looks like this: msprvs1=19620-vBnExuR=bounces-280047@bounce.smartsheet.com
How can I prevent this from getting caught?
09-14-2023 07:53 AM
easiest and best way is to whitelist servers, not domains as domains can be spoofed.
But, you could do it with just .smarsheet.com and it should whitelist anything containing that. Depending how your whitelist matches.
09-14-2023 08:07 AM
Actually have @.smartsheet.com but seems to not work. Any other domains in the whitelist are working fine. Have not done whitelisting servers but I will look into it.
09-14-2023 10:27 AM - edited 09-14-2023 10:28 AM
it's going to look for exact match and . is a wildcard, so technically you would want ends with \.smartsheet\.com to exact match it. having the @ means it would only match on say @dsmartsheet.com as the . is like a * in regex. the \ is an escape meaning to match the period. Easiest is to just loose the @ and do .smartsheet.com, or call out the full @bounce.smartsheet.com
I use a program called EditPad Pro as it's nice to use the search to verify your Regex and if it's correct and will trigger. it's nice to highlight the match and it will color any RegEx hits in the search so you can see if you need to escape something with \
09-14-2023 11:08 AM - edited 09-14-2023 12:16 PM
Thanks for the suggestions. Unfortunately, cisco secure email does not allow the use of wildcard and we can't really get rid of @ like what it shows in the pic below.
Currently what we have in our whitelist are @bounce.smartsheet.com, @.bounce.smartsheet.com, and @.smartsheet.com.
09-14-2023 11:39 AM
Ahh, I thought you were in a content filter. Is that under the HAT settings? or a separate flow?
09-14-2023 12:14 PM
We have content filter setup for specific users. The setting i showed you above was from the incoming mail policies where we can add email domains to block or allow.
09-14-2023 01:15 PM
ok, yeah the mail policies are more restricted. what we have is a content filter referencing a dictionary of email addresses to drop. Different ways to the same goal though.
09-15-2023 05:03 AM
We use dictionaries too but i dont think we can use that to the incoming mail policies. How is yours set up, if you dont mind me asking? By the looks of it you are able to use wildcard using dictionary.
09-15-2023 06:08 AM
We use a content filter to drop the message at the start of the filters basically so it doesn't flow through the rest.
09-15-2023 07:41 AM - edited 09-15-2023 07:46 AM
Oh i see! So what we are actually trying to do so far is to see which domains are we blocking or whitelisting. So we have that same filter but instead, it duplicates the incoming email, where one goes to the users and the duplicate will go to the quarantine. Then in the quarantine we check the domains and once we see the one we need to whitelist/blocklist, we then add that domain to the mail policies.
In the case with @bounce.smartsheet.com we have that added to the whitelist already, but still getting caught in the quarantine. Its annoying because the domain does not change, so technically it should whitelist that, but its not.
09-15-2023 08:40 AM
so, anything will go through the content filters, Is your whitelist a filter, or done through the HAT section?
We whitelist server IPs in the hat section and disable certain functions in the different policies. If your whitelist is done with a content filter, it will still flow through other filters unless you set skip filters as the last step. Another option if its a content filter is say set a header of X-Whitelist=true and in your other filter check that X-Whitelist header does not exist.
09-15-2023 10:22 AM - edited 09-15-2023 10:24 AM
Okay, so we have set up the HAT section too where we whitelisted the domain IP. Seems to not work either.
Here's how we set it up. In that HAT section, we already whitelisted the domain IP. Then we have the content filter, we have that setup to duplicate the incoming emails one goes to the users and the other goes to quarantine (so we can sort it out), and then in the mail policies we have 2 different polices setup, white and block list. The @bounce.smartsheet.com has been in the whitelist since the beginning but for some reason, it's still getting caught in the quarantine. So basically once we added the domain to the whitelist, it should no longer duplicate the email. On the other hand, if we added the domain to the block list, then that email should be blocked and nothing else should happen to it.
09-15-2023 11:33 AM
OK, maybe I'm mis-understanding your flow, but from your screenshots, you have an incoming policy for your whitelist, from there you have a content filter copying everything from the whitelist to a quarantine. Since your content filter has no conditions, then anything hitting the whitelist incoming policy gets duplicated. you may have it set on the incoming policy as default, you would want to select it and uncheck the store lockdown content filter to stop it applying that filter.
If your filter says use default, select it and uncheck the filter.
09-19-2023 10:20 AM
Hi you are right about the no condition on the filter we created because for now we want to make sure which domain are we blocking and we're whitelisting.
In the Incoming Mail Policies, we are not using default.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide