Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
0
Helpful
3
Replies

Question on Filter Rules

Go to solution
Doug Maxfield
Level 1
Level 1

‎03-18-2011 06:22 AM

Good Morning,

We just put our C370 into production a day ago and all that I can say is "WOW!!!!"  This is a great device.  The amount of Spam and invalid e-mails that are being blocked is incredible!!!!  Kudos to the development team and everyone working on the product!!!!  Keep it up!!!

We have noticed one issue that I have a question on.  Currently, we have an outside e-mail address that sends us encrypted e-mail and we allow them to do so.  Anyone else, we don't allow.  I have set up the following rule using the "Filters" command in the CLI:

Encryped_Email_Bypass:  if (recv-listener =='IncomingMail') and (attachment-protected) AND (mail-from == "^WorkbenchReporting@domain1.com$") AND (rcpt-to == "user1@domain2.com|user2@domain2.com|user3@domain2.com") {

    skip-spamcheck();
    skip-viruscheck();
    skip-vofcheck();
    alt-mailhost("[172.22.15.44]");

}

.


We thought that this would allow these messages to "bypass" our default virus/scanning rules, but it appears that it still runs through them.  What do I need to do to bypass my Incoming Mail Policies that are enforced from every user for this outside e-mail address only if it falls into the above rule?

Thanks,

Doug

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Eppler
Cisco Employee
Cisco Employee

‎03-18-2011 06:26 AM

Hello Doug,

many thanks for the feedback on the appliance performance :-)

Regarding the filter bypass, this is hard to judge without seeing your current configuration and looking in the mail_logs or message tracking details what is happening on your appliance. As this is outside of the forum scope, may I please ask you to open a service request with our team? This can be done by using 'Help and Support -> Open a Support Case/Support Request' on the GUI of the appliance in question. This will open a service request in our system and also attach your appliance configuration to it.

Thanks and regards,

Martin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Martin Eppler
Cisco Employee
Cisco Employee

‎03-18-2011 06:26 AM

Hello Doug,

many thanks for the feedback on the appliance performance :-)

Regarding the filter bypass, this is hard to judge without seeing your current configuration and looking in the mail_logs or message tracking details what is happening on your appliance. As this is outside of the forum scope, may I please ask you to open a service request with our team? This can be done by using 'Help and Support -> Open a Support Case/Support Request' on the GUI of the appliance in question. This will open a service request in our system and also attach your appliance configuration to it.

Thanks and regards,

Martin

0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to Martin Eppler

‎03-18-2011 08:13 AM

Thanks for the help.  Contacted Support and they responded very quickly.  We were able to write a Incoming Content Filters to take care of the issue.

Very pleased so far with the quality of the product and support!!!

Keep up the Great Work!!!!

Doug

0 Helpful

Go to solution
Christopher Smith
Level 4
Level 4

‎03-18-2011 06:33 AM

HI Doug,

First thanks for the kind words about the product. We really appreciate the feedback!

As you may have figured out already for any given situation with the IronPort appliance there can be multiple solutions that can be ultilized. Message filters will always occur prior to policies, spam scanning and virus scanning. I think what you have set up should work. The question here is what is not matching. To understand the exact cause I would recommend reviewing the mail logs. You would need to find the message in question and see if it actually triggered this filter.   You could also use the trace function to test this behavior as well.

If the message is triggering on the filter the next question is , is it being processed by filters that reside below the current filter. I would recommend adding either deliver() which is a final action or skip-filters() which is also a final action to the end of this filter. This way no other filters will process the message after the fact.

Also keep in mind that the filters are processed in top down order. If you have filters above this that have a final action such as deliver, and there is a positive match, this filter would be skipped.

Christopher C Smith
CSE
Cisco IronPort Customer Support 

0 Helpful
Customers Also Viewed These Support Documents