Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1881
Views
0
Helpful
2
Replies

Reply to secure email caught in our SPF-Fail quarantine. Whats ALL the CRES servers so I can whitelist?

keithsauer507
Level 5
Level 5

‎05-18-2018 05:41 AM - edited ‎03-08-2019 07:37 PM

We just started having a problem with a vendor who replies to our Cisco CRES secure emails.  When they do this the emails come from a Cisco server, 184.94.241.96 mxnat1.res.cisco.com but the mail from indicates its from the actual company we are communicating with.  This means the Ironport WSA checks the companies SPF-record against 184.94.241.96, which does not exist, so its a SFP-FAIL event.  Therefore our incoming content filter dumps it into a quarantine we have appropriately named SPF-Fail.

 

I'd like to whitelist this, and I'm starting with mxnat1.res.cisco.com but I'm afraid there will proboboly be other servers that the reply could potentially come from.

It basically looks like this  - Incoming Content filter #8 of 14

1  - SPF Verification          spf-status == "fail"

2 through 9 various EnvelopeSender  mail-from != "@whitelisted domains we have issues with$"

10 - Remote IP/Hostname   remote-ip != "mxnat1.res.cisco.com"

 

Actions

1 - Quarantine     quarentine("spf-fail")

 

 

Here's a partial log of a message that was legitimate but quarantined and never delivered:

 

Received-SPF: Fail (email.ourdomain.com: domain of
  Info@theirdomain.com does not designate 184.94.241.96 as
  permitted sender) identity=mailfrom; client-ip=184.94.241.96;
  receiver=email.ourdomain.com;
  envelope-from="Info@theirdomain.com";
  x-sender="Info@theirdomain.com"; x-conformance=spf_only;
  x-record-type="v=spf1"
Received-SPF: None (email.ourdomain.com: no sender authenticity
  information available from domain of
  postmaster@mxnat1.res.cisco.com) identity=helo;
  client-ip=184.94.241.96; receiver=email.ourdomain.com;
  envelope-from="Info@theirdomain.com";
  x-sender="postmaster@mxnat1.res.cisco.com";

Labels:
0 Helpful
2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

‎05-21-2018 09:04 PM

You can try adding a partial hostname ".res.cisco.com".

 

Remote-IP/hostname condition as per the online help guide should allow for partial hostnames similar to sendergroups.

 

Regards,

Libin Varghese

0 Helpful

keithsauer507
Level 5
Level 5
In response to Libin Varghese

‎05-22-2018 09:24 AM

Ok thanks,

 

I was overthinking it, but I relise there are a bunch of If Envelope sender domains already in there, so I added if envelope sender mail-from != "@domaininquestion.com" and it worked.  If they reply to a CRES email it no longer is filed for our spf-fail rule to quarantine.

 

Though at the very end I did shorten the domain name so it shows Remote IP/Hostname remote-ip !=".res.cisco.com" so hopefully that catches others in the future were not explicitly naming.

spf.PNG

 

 

 

0 Helpful
Customers Also Viewed These Support Documents