it's going to look for exact match and . is a wildcard, so technically you would want ends with \.smartsheet\.com to exact match it. having the @ means it would only match on say @dsmartsheet.com as the . is like a * in regex. the \ is an escape meaning to match the period. Easiest is to just loose the @ and do .smartsheet.com, or call out the full @bounce.smartsheet.com
I use a program called EditPad Pro as it's nice to use the search to verify your Regex and if it's correct and will trigger. it's nice to highlight the match and it will color any RegEx hits in the search so you can see if you need to escape something with \
Thanks for the suggestions. Unfortunately, cisco secure email does not allow the use of wildcard and we can't really get rid of @ like what it shows in the pic below.
Currently what we have in our whitelist are @bounce.smartsheet.com, @.bounce.smartsheet.com, and @.smartsheet.com.
We use a content filter to drop the message at the start of the filters basically so it doesn't flow through the rest.
so, anything will go through the content filters, Is your whitelist a filter, or done through the HAT section?
We whitelist server IPs in the hat section and disable certain functions in the different policies. If your whitelist is done with a content filter, it will still flow through other filters unless you set skip filters as the last step. Another option if its a content filter is say set a header of X-Whitelist=true and in your other filter check that X-Whitelist header does not exist.
Okay, so we have set up the HAT section too where we whitelisted the domain IP. Seems to not work either.
Here's how we set it up. In that HAT section, we already whitelisted the domain IP. Then we have the content filter, we have that setup to duplicate the incoming emails one goes to the users and the other goes to quarantine (so we can sort it out), and then in the mail policies we have 2 different polices setup, white and block list. The @bounce.smartsheet.com has been in the whitelist since the beginning but for some reason, it's still getting caught in the quarantine. So basically once we added the domain to the whitelist, it should no longer duplicate the email. On the other hand, if we added the domain to the block list, then that email should be blocked and nothing else should happen to it.
OK, maybe I'm mis-understanding your flow, but from your screenshots, you have an incoming policy for your whitelist, from there you have a content filter copying everything from the whitelist to a quarantine. Since your content filter has no conditions, then anything hitting the whitelist incoming policy gets duplicated. you may have it set on the incoming policy as default, you would want to select it and uncheck the store lockdown content filter to stop it applying that filter.
If your filter says use default, select it and uncheck the filter.
Hi you are right about the no condition on the filter we created because for now we want to make sure which domain are we blocking and we're whitelisting.
In the Incoming Mail Policies, we are not using default.
