Re: Correcting the filter.

victor.bassey · ‎03-27-2017

Dear support,

we are looking to migrate to office 365, however i would like to keep email routing via on-premise iron-port appliance.

I need to ensure the following:

1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies

2. Email sent between two users in office 365 does not need to route via onprem.

3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.

4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy

please has anyone implemented this scenario. I need some guidance as i am not great with ESA appliance

Libin Varghese · ‎03-27-2017

Hi Victor,

1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies.

In order to allow emails from the Office 365 to be sent outbound you would need to add the office 365 IP to the HAT RELAYLIST under Mail Policies -> HAT Overview.

Adding this would then treat those emails as outbound and would process as per the outgoing mail policies including content filters and DLP.

If the office 365 servers are dynamic then you would need to add the required subnets along with the below message filter to prevent other domains from relaying emails through the ESA.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@example\\.com;) OR (rcpt-to != 'example\\.com;)){
drop();
}

Message filters are added through the command line access of the appliance using command "filters".

2. Email sent between two users in office 365 does not need to route via onprem.

This would need to be configured on the office 365 server, any email injected to the ESA would be processed by the ESA so the office 365 server would need to be configured to prevent emails between users in office 365 from being sent to the ESA.

3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.

As internal exchange server would be part of the HAT RELAYLIST already they would continue to be processed via the outbound mail policy.

4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy

This would require configuration of a new outgoing mail flow policy for the recipient domain/email address on office 365 under Mail Policies -> Outgoing Mail Policies with the scanning engines disabled for just that outgoing mail policy.

Thank You!

Libin Varghese

victor.bassey · ‎03-27-2017

Thanks Libin for the prompt response, greatly appreciated. I read that it may be better to create a new listener for this purpose. Would this be the best option,and will all the steps you already mentioned remain the same?

sorry if i sound a bit bump, can you describe the drop rule in plain english, just to help me better understand whats the rule is doing:

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@example\\.com;) OR (rcpt-to != 'example\\.com;)){
drop();

Libin Varghese · ‎03-27-2017

Creating a second listener would allow you to maintain the traffic from office 365 servers separate from the rest of the traffic. The remaining steps would remain the same.

Only difference would be that the configuration under Mail Policies -> HAT Overview (including RELAYLIST) would be configured specific for that listener. You could also just create a new sendergroup for Office 365 server within the existing listener.

For the message filter, it checks the traffic originating from the IP's mentioned in the RELAYLIST and drops emails that are not from and not to your internal domain.

This would be required if the office 365 server is shared between multiple organizations.

For example, office 365 IP 10.10.10.10 is added to your HAT RELAYLIST.
The same server is used by abc.com which is owned by you and also by pqr.com which is owned by another organization.

So in order for the ESA to only allow emails from abc.com we would have a filter in place which would drop emails from pqr.com.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) OR (rcpt-to != '@abc\\.com;)){
drop();
}

So email from abc.com to gmail.com - Accepted

Email from abc.com to pqr.com - Accepted

Email from pqr.com to abc.com - Accepted

Email from pqr.com to gmail.com - Dropped

However, if you have a dedicated office 365 server then simply adding that to the HAT RELAYLIST would be enough. The message filter would not be required in that scenario.

- Libin V

exMSW4319 · ‎03-28-2017

Would it be more efficient to nest the If rather than use an And operator?

Possibly I'm not following the scenario fully, but shouldn't the Or operator be an And? It sounds as if the OP is running hybrid for a while, so CC and BCC will also be a consideration.

I'm thinking:

DropRelayedMail:

if (sendergroup == 'O365LIST') {

if ((mail-from != '@abc\\.com') AND (rcpt-to != '@abc\\.com')) {

quarantine('Testing Quarantine');

}

I'm suggesting a new sender group because the inflow from O365 may be unique enough to have its own mail flow policy. Not sure what should go in that. Whether O365LIST should go above or below BLACKLIST in the HAT is of course a matter of faith.

victor.bassey · ‎05-17-2017

Hi Libin,

Just to say a big thanks to you. I was able to implement necessary office 365 email routing for our environment following your guidance.

Thanks.

Vic

Libin Varghese · ‎05-17-2017

Awesome. Glad to help.

- Libin V

Libin Varghese · ‎03-28-2017

Correcting the filter.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) AND (rcpt-to != '@abc\\.com;)){
drop();
}

- Libin V

David Vigil · ‎01-16-2018

@Libin Varghese
I continue to get an illegal character error on the ' for the rcpt-to line.

Libin Varghese · ‎01-16-2018

Sorry about that. (The email address was within '' and did not need a ;)

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com') AND (rcpt-to != '@abc\\.com')){
drop();
}

Daniel Pleiman · ‎09-27-2018

yohannugera · ‎09-20-2019

Hi Libin,

I have the same issue. Some of the emails from "outlook.com" getting matched to "RELAYLIST". If I configure this message filter, such emails (like outlook mails) to internal will be dropped right?

@Libin Varghese wrote:
Correcting the filter.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) AND (rcpt-to != '@abc\\.com;)){
drop();
}

- Libin V

Libin Varghese · ‎09-24-2019

Emails from outlook matching relaylist would mean the sender host generating those emails is added to the HAT Relaylist.

So you may need to confirm your setup to see if you use O365.

For implementing relay from O365, you may want to consider implementing a private listener specific for O365 emails.

Regards,

Libin

michael sharp · ‎08-21-2020

Would love to see a step by step document for supporting on prem ESA and office 365, I found one for the cloud ESA.

I'm having issue with office having issue with phishing email, Office 365 is failing the spf record check since emails are relaying from our on prem ESA servers.

marc.luescherFRE · ‎08-21-2020

putting it on my list to blog about soon. First will be how to add an external warning to incoming emails.

Cisco Champion for Email blog : http://www.emailsecurityblog.info/

Give me 1-2 weeks.

Office 365 Email Routing Using ESA