Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
1
Replies

Quarantine email recipient starts with 10

rab ngl
Level 1
Level 1

‎09-07-2016 11:11 PM

Hi,

I created an incoming filter to quarantine an email recipient starts with 10, for example 109123@domain-y.com

Recipient_Start_With_10: if (rcpt-to == "^10") { quarantine("Policy"); }

I tested the filter and works fine. But, there are some emails intended to multiple recipients which start with 10 and another NOT start with 10.

For example:
Recipient: somebody@domain-y.com, 109123@domain-y.com

With the configuration above, the email is not delivered to both recipients.

What I need is the email to somebody@domain-y.com should be delivered, but for 109123@domain-y.com should not be delivered?

Any thoughts on that?

Thanks.

Labels:
0 Helpful
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎09-08-2016 05:42 AM

Hi Rab,

An email with multiple recipients would not be processed differently unless the email is split for those recipients.

For instance when an email is injected it would have a MID 1, the message filters and content filters would take action on the entire message for MID 1.

In order to work around this the email can be split using a separate incoming mail policy and content filters for specific recipients.

If an email is injected with MID 1 and it has 2 recipients, if the first recipient matches mail policy 1 and the second recipient matches the default mail policy a new MID would be generated for the first recipient. Then a content filter for mail policy 1 would be able to quarantine the new MID generated.

However mail policies do not accept wildcards, hence you would need to find a way to split the emails into different MID's based on the below allowed formats.

e.g. user@example.com, user@, @example.com, @.example.com

You could then use content filters using wildcards.

For the example provided since the recipient address beginning with 10 is subject to change
Recipient: somebody@domain-y.com, 109123@domain-y.com

Incoming Mail Policy 1: Reciepient is somebody@domain-y.com : No content filters (This mail policy would need all recipient addresses to be allowed or a LDAP check to confirm recipients)

Incoming Mail Policy 2: Recipient is @domain-y.com : Content filter to check recipient address == "^10" and quarantine

Hope this helps.

Thanks
Libin

0 Helpful
Customers Also Viewed These Support Documents