Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7671
Views
0
Helpful
15
Replies

Whitelisting a specific email address

Go to solution
zheka_pefti
Level 2
Level 2

‎06-18-2019 07:20 PM

Hello Email Security Community,

Perhaps this question was asked many times and I did do my best to search through the whole forum.

I followed an advice but still, scratching my head trying to understand what is wrong.

I need to whitelist a specific email address through Ironport email security. Created or rather added an email address to the existing Whitelist that is inserted above the default policy with Anti-Spam set to disabled. I have to admit that emails sent by this sender are marketing emails and their content is about marketing compains performed by designated staff. The email is sent, Ironport accepts it because it comes from a sender with 3.0 score. But it puts it to spam quarantine. Why ?

Moreover, when I do tracing by providing all the details from the message headers and pasting the body of the email I do see that it matches the whitelisting policy. But the email still ends up in spam quarantine.

Desperately need an advice and help!

 

Eugene

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 04:27 AM

Under Mail Policies/Mail Policy Options, there's a setting for matching the headers your policies apply to. 

Envelope sender may be the only one checked in priority P1.

Capture.PNG

You can create priorities and set an order to them, or turn them all on in P1 (which is how it used to work). 

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Ken Stieers
VIP
VIP

‎06-18-2019 08:09 PM

If its a marketing or bulk sender, also make sure that the Graymail detection/actions are appropriate... if one of those is set to quarantine, that would do it.

Capture.PNG

 

 

It might be useful if you posted the message tracking for one of the emails in question, sanitized if need be.

 

Ken

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎06-18-2019 09:22 PM

Thank you, Ken, a lot.

I have ALL policies disabled for this Whitelisting policy. 

Take a look at the attached screenshot.

But you half opened my eyes. 

Here's the extract from Message tracking and for some reason it hits Default policy

 

 

MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: it.xxxx@options.bc.ca
Incoming connection (ICID 1033318) has sender_group: ACCEPTED, sender_ip: 207.254.213.249 and sbrs: 3.5
Protocol SMTP interface Main_incoming_interface (IP 172.16.0.200) on incoming connection (ICID 1033318) from sender IP 207.254.213.249. Reverse DNS host drone192.ral.icpbounce.com verified yes.
(ICID 1033318) ACCEPT sender group ACCEPTED match sbrs[0.0:10.0] SBRS 3.5 sender IP 207.254.213.249 country Canada
Message 2207265 Sender Domain: icpbounce.com
Start message 2207265 on incoming connection (ICID 1033318).
Message 2207265 enqueued on incoming connection (ICID 1033318) from bounces+264572.35563716.533343@icpbounce.com.
Message 2207265 direction: incoming
Message 2207265 on incoming connection (ICID 1033318) added recipient (it.xxxx@options.bc.ca).
Message 2207265 SPF: helo identity postmaster@drone192.ral.icpbounce.com None
Message 2207265 SPF: mailfrom identity bounces+264572.35563716.533343@icpbounce.com Pass
Message 2207265 SPF: pra identity childxxxxyyyyzzzz@options.bc.ca None headers Unknown
Message 2207265 contains message ID header '<0.1.1.1E.1D52643A30575C4.0@drone192.ral.icpbounce.com>'.
Message 2207265 original subject on injection: testing 222
Message 2207265 has 'reply-to' header childxxxyyyzzz@options.bc.ca
Message 2207265 Domain Reputation: Neutral, Domain Age: 15 years 8 months 23 days, Threat Category: N/A
Message 2207265 (41799 bytes) from bounces+264572.35563716.533343@icpbounce.com ready.
Message 2207265 has sender_group: ACCEPTED, sender_ip: 207.254.213.249 and sbrs: 3.5
Message 2207265 matched per-recipient policy DEFAULT for inbound mail policies.
Message 2207265 scanned by Anti-Spam engine: CASE. Interim verdict: marketing
Message 2207265 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
Message 2207265 scanned by Anti-Virus engine. Final verdict: Negative
Message 2207265 scanned by Anti-Spam engine: GRAYMAIL. Final verdict: marketing_mail
Message 2207265 scanned by Outbreak Filters. Verdict: Negative
Message 2207265 queued for delivery.
Remote procedure call connection (RCID 325869) started for message 2207265 to local Spam Quarantine.

Message 2207265 quarantined in Spam Quarantine.

Preview file
17 KB
0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎06-18-2019 09:28 PM

Like I said previously, when I trace this email it shows as it matching Whitelisting policy

 

Message Delivery (matched on policy Whitelisting)Outgoing Envelope Sender Tagging for Bounce Verification:Final Recipients:Final Message:

Recipient it.tech@options.bc.ca will see tagged address prvs=06649ee22=childcareoptions@options.bc.ca
it.xxxx@options.bc.ca
Authentication-Results: drone192.ral.icpbounce.com; spf=None smtp.pra=; spf=None smtp.mailfrom=childxxxyyyzzz@options.bc.ca; spf=None smtp.helo=postmaster@drone192.ral.icpbounce.com
Received-SPF: None (drone192.ral.icpbounce.com: no sender
  authenticity information available from domain of )
  identity=pra; client-ip=207.254.213.249;
  receiver=drone192.ral.icpbounce.com;
  envelope-from="childxxxyyyzzz@options.bc.ca"; x-sender="";
  x-conformance=sidf_compatible
Received-SPF: None (drone192.ral.icpbounce.com: no sender
  authenticity information available from domain of
  childxxxyyyzzz@options.bc.ca) identity=mailfrom;
  client-ip=207.254.213.249;
  receiver=drone192.ral.icpbounce.com;
  envelope-from="childxxxyyyzzz@options.bc.ca";
  x-sender="childxxxyyyzzz@options.bc.ca";
  x-conformance=sidf_compatible
Received-SPF: None (drone192.ral.icpbounce.com: no sender
  authenticity information available from domain of
  postmaster@drone192.ral.icpbounce.com) identity=helo;
  client-ip=207.254.213.249;
  receiver=drone192.ral.icpbounce.com;
  envelope-from="childxxxyyyzzz@options.bc.ca";
  x-sender="postmaster@drone192.ral.icpbounce.com";
  x-conformance=sidf_compatible
Received: from drone192.ral.icpbounce.com ([207.254.213.249])
  by esa.options.bc.ca with TEST; 18 Jun 2019 21:24:35 -0700
test
0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎06-18-2019 09:34 PM

And the picture below shows that Greylisting is not appied to Whitelisting poilcy

Greymail settings for whitelisting policy.PNG

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 04:27 AM

Under Mail Policies/Mail Policy Options, there's a setting for matching the headers your policies apply to. 

Envelope sender may be the only one checked in priority P1.

Capture.PNG

You can create priorities and set an order to them, or turn them all on in P1 (which is how it used to work). 

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎06-19-2019 09:02 AM

Bingo! It made the trick. Thank you, Ken!

No one changed those priorities. I had only two in there, i.e. Envelop sender and Header sender.

Apparently the incoming email was verified against "reply-to" header. Never paid attention to it.

Thanks again, issue solved

Eugene

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎06-19-2019 09:19 AM - edited ‎06-19-2019 10:19 AM

Well, I spoke too early. It doesn't work consistently. There are two email addresses that are supposed to receive an email from whitelisted email address. One of them receives it right away, but the email for the second is put into the spam quarantine again. I see that it matches the default policy from message tracking. Weird... 

Here's what I mean, there's one message with "testing 666" subject, it is being delivered to two addresses.

The first one receives it right away (to it.tech@), but the one destined to shady.goubran@ gets into the spam quarantine

test message 666.PNG

Checking on details confirms it, the first one matches Whitelisting policy:

MAIL POLICY "Whitelisting" MATCHED THESE RECIPIENTS: it.tech@

The second one matches the default policy:

MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: shady.goubran@

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 10:47 AM

Dig into the headers.. feel free to post them if you want another set of eyes...




0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 11:21 AM

So which emails does the whitelist policy apply to?  

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 11:23 AM

So which emails does the Whitelisting policy apply to?   Feel free to direct message if you don't want to post it. 

 

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎06-19-2019 11:37 AM

Here are two messages, I think there's nothing to sanitize in them here in Cisco forums

One of them matches Whitelisting policy, the other one - default.

It was sent as one email earlier today, hence the same subject

it.tech message went through.PNG

shady message went to quarantine.PNG

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 12:48 PM

I can't seem to find in our conversation, did you post what the config is when you click on "Whitelisting" in the policy table?

 

Capture.PNG

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎06-19-2019 02:52 PM

Here it is, Ken, see below

Mail policy settings.PNG

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to zheka_pefti

‎06-19-2019 03:41 PM

That's the options. I mean the actual list of email addresses that supposed to be in the "whitelist".


0 Helpful
Customers Also Viewed These Support Documents