Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2766
Views
3
Helpful
7
Replies

Incoming Mail Policy Matching only Envelope From but not Reply-To or From header

Tony Kilbarger
Level 1
Level 1

‎02-19-2019 02:34 PM

We are a cloud CES customer.  I believe last night we were upgraded from 11.1.0-135 to 11.1.2-023. 

 

Today we have reports of incoming email not matching an incoming policy that it previously did.  The policy matches specific sender addresses.  What we think we are seeing is that it is now only matching on the Envelope Sender address but not the Reply-To: header or the From: header.  For example we have a policy that uses "Following Senders" abc@mydomain.com.  If that is the Envelope Sender it matches.  If the envelope sender is something else that does not match a policy but the reply-to: or the from: is abc@mydomain.com, it will not match the policy.  From the documentation it should match based on this sequence:

 

  Matching Users to a Mail Policy

    • Envelope Sender (RFC821 MAIL FROM address)
    • Address found in the RFC822 From: header
    • Address found in the RFC822 Reply-To: header

Wondering if others are seeing this or are aware of it.  My co-worker is opening a case with TAC as I type.

 

Labels:
0 Helpful
7 Replies 7

Ken Stieers
VIP
VIP

‎02-19-2019 06:37 PM

I'm seeing that on 12.x on prem...




0 Helpful

charella
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎02-20-2019 03:43 AM

Tony/Ken
Try this:
Navigate webui to > Mail Policie > Mail Policy Settings > click the name of the “headers” clickable link. > add checks for the desired header fields

Ken Stieers
VIP
VIP
In response to charella

‎02-20-2019 08:27 AM

Well, duh...

Thanks guys.






0 Helpful

munbali
Cisco Employee
Cisco Employee

‎02-19-2019 11:58 PM

Hi Tony,

 

starting with 11.1.x versions, there is a change where the mail policy matching is now configurable:

https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/212808-configure-flexible-mail-policy-match-fea.html

 

if you clicked the mail policies tab , you will see a new option under the incoming and outgoing mail policies and filters called mail policy settings 

 

from it you should see that the envelope sender is the only method added, you can edit it to include the from header and/or the reply to as well

 

Best Regards,

Muna Bali

Tony Kilbarger
Level 1
Level 1
In response to munbali

‎02-20-2019 07:15 PM

Yes, working with support this was our issue.  We had two CES clusters, one was upgraded, one was not so I could test.  When you went to the Mail Policy Settings on either version, it had just Envelope Sender P1.  The older version still matched on all 4, the new version did not. 

 

We made it go back to matching on all of the fields by deleting the entry on this screen.  This is different than checking all 4 fields and setting a priority P1 to P4 for them.  With no entries there, it will check all 4 fields in order for each the first policy, then if no match move on to the next policy and check all 4 and so on through all policies to default.  If instead you select all 4 and make them P1, P2, P3, P4, it will check the field you have set as P1 for each policy to try to match, then it will check the field marked P2 in each policy and so on.  Hope that makes sense.

 

Tony

Tony Kilbarger
Level 1
Level 1
In response to Tony Kilbarger

‎02-20-2019 07:19 PM

So in 11.1.0, the option was set but seemed to have no effect, it still matched Env Sender, From, Reply-To even though it was set ( assume as a default ) to Envelope Sender only. With the upgrade to 11.1.2, it began working as documented.
0 Helpful

Ken Stieers
VIP
VIP
In response to Tony Kilbarger

‎02-21-2019 06:31 AM

So, no entries is probably equal to checking all 4 as priority 1???
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents