Hi Donny,

Many thanks for the suggestion, I want to ask how to use "mail-from-group"

I got

"

LDAP: Listener Outbound does not reference a valid group query, comparison in filter will evaluate as false

"

from the error_logs

I have a ldap group query defined (typical ad group query), how do I write the filter then?

Thanks.

Chris

Hi Chris,

Did you try including the Base DN when specifying the LDAP group in your filter?

I guess your filter should look like:

MonitorUserFilter:

if (mail-from-group == "CN=Example Group,OU=Our Groups,DC=example,DC=com")

{

duplicate-quarantine ("Logging");

}

Regards,
Donny

Hi Donny

Thanks for the hint. This works. But also need to add the group query to the outbound listener.

I find two way to achieve the same result(?)

a)     Add the group query to the outbound listener. Then write a message filter (cli) as above.

b)     Use the GUI, add a policy to the outgoing mail policy PLUS a content filter. The matching policy is to use the ldap group query with "CN=Example Group,OU=Our Groups,DC=example,DC=com" as SENDER for the criteria to hit.

The content filter is simply unconditionally

     Condition (empty = always hit)

     Action=Quarantine     rule=duplicate-quarantine ("Logging")

I'm still try to quarantine this to my M-series though.

Is Policy Quarantine can be done as Spam Quarantine the same way to use external storage?

Best Regards,

Chris

Hi Donny,

If M-series is not a complete answer to Policy Quarantine. Then I would actually raise a feature request (thru' proper channel) to see how to make it work here.

Perhaps I have been misunderstanding how this works....

Lawful intercept or Email archiving is one of the feature we believe is available since Ironport inception. That works. But we need a big Policy quarantine area to keep it. If M-series can't be used, C-series is also not big enough to hold the emails for sufficient long time.

We would then be needed to look at other solution such as "postini" exchange journaling.

Thanks alot

Chris

Chris,

You can mark a message as spam via a message or content filter by adding a specific header to it. I don't remember the header, but I do know it was discussed here in this forum a few months ago (I started the thread by asking for a way to send a message to a spam quarantine programmatically). This would let you send the messages in question to the M-series quarantine. This isn't perfect because you are using the spam quarantine for policy reasons, but it may work out okay depending on what else you use the spam quarantine for.

++Don

Hi Don,

Indeed there are two ways to send to ISQ.

a)  alt-mailhost('the.euq.queue')

b)  Insert-Header ('X-Ironport-Quarantine: somevalue')

But both will send the mail to quarantine and stop, even if I have an action such as duplicate-quarantine. No mail is sent to recipient.

It may sound weird to most because why would we need to ISQ an email but at the same time want to mail be delivered.

My goal is to just copy it, and send it to ISQ, while let the mail be delivered.

At this moment, I can't get both done at the same message/content filter.

MonitorUserADGroupFilter: if mail-from-group == "CN=somegroup, OU=XX, DC=company, dc=com" {

                               deliver();

                               alt-mailhost ("the.euq.queue");

}

deliver() is now called "skip-filters()", btw.

The above wont work because once delivered, the message is no long exist and quarantine to 'the.euq.queue' do no effect.

If I put alt-mailhost higher than deliver, then the message does not deliver.

Also replaced with "duplicate-quarantine" to deliver(). Same behavior.

What's the best way to "deliver and copy to ISQ"?

Regards,

Chris

Why not send those messages to another mailbox in your email system for archiving and accountability. Think of it as an off-box policy quarantine.

Sent from Cisco Technical Support iPad App