Ironport Filter Criteria against single sender or recipient

macklinmc · ‎07-08-2011

We have some filters that require an exception group for each filter type, eg. certain_attachments_block, message_size_block, message_content_block and for each type of block there is a list of exception senders or recipients, for people with permission for outbound/inbound policy exceptions. There is some additional complexity in that there are a half dozen policy groupings by country (different email domains) where regulations or local requirements differ.

The structure has been built as policy groups based on country (email domains) and filters for each to block and allow exceptions. We've tried several methods and keep coming back to 2 issues:

1. Any structure we devise that uses multiple filters for a single criteria, ie. permit msg_size >x followed by block msg_size >x will have to use "skip remaiing filters" that will bypass further criteria checks such as banned attachements. Conclusion is that one filter must contain the sumtotal of permit/deny logic for each criteria to avoid skipping some criteria checks.

2. A single filter that checks for <banned_attachment>, plus <recipient_not_contain=exception_list> will apply the policy to all recipients of a message so that if an email is sent to person A who is allowed to receive the content and person B who is not, the filter will allow the content for both.

We settled on a filter structure that starts with exception lists in dictionaries for various critera and sets a header for each such as size_allowed:True, content_allowed:true so that list maintenance is easier. Other filters then follow and check for: msg_size >x and header(size_allowed) not contain true and that fixes the issue with point 1 but not with point 2. The custom header is applied to the instance of a msg sent to person B who is not in the dictionary when the message is also addressed to person A who IS in the dictionary. When email is sent to each name separately, all is good.

I'm not surpirsed since the SMTP_DEBUG shows multiple RCPT TO commands before the DATA so it is in essenvce 1 copy of message for all recipients. Anyone know of a way to get a real "per recipient policy filter"? I see the term "per recipient policy" in the logs but donit know if/how to make it happen that way.

Enrico Werner · ‎07-13-2011

Hi Macklin,

what you can see in the mail logs "matched per-recipient policy" is intelligent message splintering, a mechanism that allows for differing recipient-based policies to be applied independently to message with multiple recipients. Each policy that matches a message creates a new message with those recipients. This process is defined as message splintering.

More information about this topic is in the user guide, which you can access through the online help "GUI - Help and Support - Online Help". Search for chapter "Message Splintering". Message splintering can be configured in the mail policies "GUI - Mail Policies - Incoming Mail Policies" where you can specify if the the policiy should match on certain recipients or senders.

Best regards,

Enrico

macklinmc · ‎07-13-2011

Thanks for the clarification. I've been reading the doc and the "per recipient policy" was clear once I thought about it enough. I was hoping there was a way around it. A single recipient name will get the "first fit" policy and that copy of the message will receive whatever controls we devise. That recipient name is then not eligible to be member of another exception list at the policy level. My thinking is that we can organize the exceptions in a hierarchy based on risk, where the highest risk exception list also receives the lower risk privileges. then a single person name would be applied to only 1 list and the whole thing operates like a privilege level mechanism.