Cisco Community
English
Register
Speak French? Now you can ask your questions in the new French Community! CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect

Configure Spoof protection with Exception lists

Labels:
3241
Views
10
Helpful
11
Comments
Tom Foucha
Tom Foucha Cisco Employee
Cisco Employee
‎04-02-2013 08:49 AM
‎04-02-2013 08:49 AM

(view in My Videos)

 

 

This video describes how to configure spoof protection and allow a list of external domains the ability to spoof the internal domain.

11 Comments
Christopher Smith
Christopher Smith Enthusiast
Enthusiast
‎04-02-2013 09:03 AM
‎04-02-2013 09:03 AM

Nice !

If you get time can you please add a basic list/table of contents using time markers simiar to our existing videos? You can look at some of the existing videos to get an idea. Let me know if you have any questions! It is slightly blurry but I can make it out , if this is a major issue for others we can see about fixing it using the conversion process.

0 Helpful
Zachary Reneau
Zachary Reneau Cisco Employee
Cisco Employee
‎12-10-2013 12:40 PM
‎12-10-2013 12:40 PM

It should be noted that the example allowspoof.com entered into the sendergroup would not be valid, as the sendergroup is a list of hostnames or IP addresses, not envelope domains. A valid entry would be something like smtp.allowspoof.com where smtp is the hostname of a sending device in the allowspoof.com root domain.

0 Helpful
Tom Foucha
Tom Foucha Cisco Employee
Cisco Employee
‎12-10-2013 01:02 PM
‎12-10-2013 01:02 PM

Valid entries in HAT

The following formats are allowed:

  • IPv6 addresses such as 2001:420:80:1::5
  • IPv6 subnets such as 2001:db8::/32
  • IPv4 addresses such as 10.1.1.0
  • IPv4 subnets such as 10.1.1.0/24 or 10.2.3.1
  • IPv4 and IPv6 address ranges such as 10.1.1.10-20, 10.1.1-5 or 2001::2-2001::10.
  • Hostnames such as example.com.
  • Partial hostnames such as .example.com.

but agreed being more specific is best.

0 Helpful
Zachary Reneau
Zachary Reneau Cisco Employee
Cisco Employee
‎12-10-2013 01:44 PM
‎12-10-2013 01:44 PM

That's true, but you'll virtually never encounter an MTA that uses the root domain as its hostname. I only point it out because we frequently see user admins entering lots of domains in sendergroups falsely thinking that it will match a given sender and then wondering why the IronPort malfunctioned.

0 Helpful
keithsauer507
keithsauer507 Enthusiast
Enthusiast
‎12-11-2014 12:29 PM
‎12-11-2014 12:29 PM

I'm not sure what part of this video broke it, but when following this, immediately all external mail was bounced back from our exchange server.  The following organization rejected your message: mail.ourdomain.com.

 

I immediately undid everything explained in this video and mail was fixed.  I am not sure how we can block spoofed email if it prevents us from emailing!

0 Helpful
Tom Foucha
Tom Foucha Cisco Employee
Cisco Employee
‎12-11-2014 12:46 PM
‎12-11-2014 12:46 PM

Attached PDF showing how to configure. Make sure that your RelayList is tied to a Relay policy and should be the first in your list and your internal mail servers should be hitting that HAT entry.

0 Helpful
keithsauer507
keithsauer507 Enthusiast
Enthusiast
‎12-11-2014 12:46 PM
‎12-11-2014 12:46 PM

Thank you for that document, that helps.  Although I am tempted to go ahead and try it again, I think I will wait until a slower time of day when any mishaps would go unnoticed.

 

I'm not sure what steps in that video broke outgoing mailflow, but the only thing that I did not follow was when I created the ALLOWSPOOF in the HAT overview, I did not change the order.  It just went to the bottom of the list, in my case # 7 in the list.  I can see on page 4 of this document ALLOWSPOOF is directly above WHITELIST in the HAT overview.

 

The only other difference we have is on page 4 your listener is called IncomingMail.  My listener is called AllMail (and the DMZ IP Address:25 of the IronPort).

0 Helpful
keithsauer507
keithsauer507 Enthusiast
Enthusiast
‎12-11-2014 01:26 PM
‎12-11-2014 01:26 PM

I think its because we have one public listener that is called AllMail?  Perhaps putting the block from our domain names would have to be done only on a public listener and then we would use another interface on a private listener that we would repoint exchange to?

0 Helpful
Tom Foucha
Tom Foucha Cisco Employee
Cisco Employee
‎12-11-2014 01:57 PM
‎12-11-2014 01:57 PM

My guide and video uses a single listener for all mail. What matters is what HAT policy you hit, when you send email you should be hitting the Relay MFP action tied to a policy. This policy should be first in the list and the Relay policy should not be checking the Sender Verification Exception list. You are not spoofing your own domain you are simply sending. When mail comes inbound it should never hit the Relay MFP hence it should hit one of the other HAT entries that do check the Sender Verification Exception list.

 

It is not listener specific but HAT/MFP specific.

0 Helpful
ardiii_890
ardiii_890 Beginner
Beginner
‎12-11-2014 11:20 PM
‎12-11-2014 11:20 PM

The solution is simple. In the Mail Flow Policy: RELAYED and Sender Group: RELAYLIST make sure:

1. Your exchange IP-s are there (relayed).

2. Use Sender Verification Exception is set to off, because you don't need to protect spoofing from your company's internal Exchange servers.

3. All  the other Mail flow policies should have Use Sender Verification Exception set to on.

0 Helpful
Tom Foucha
Tom Foucha Cisco Employee
Cisco Employee
‎12-12-2014 04:40 AM
‎12-12-2014 04:40 AM

Correct,

3. except for the SenderGroup you want to allow to spoof your domain. Thanks for assisting.

 

0 Helpful
Latest Contents
not able to verify show environment on cisco ASA5585
Created by AbdulBasit9098 on 07-22-2019 04:47 PM
0
0
0
0
Hi i am putting show environment command but not able to get there , i am new , one of friend suggested to change to context system , dont know how to do that. hope if someone can help here.He is using PRIFWPROD01/pri/act#  and is working for hi... view more
Hi all. I want to get a monthly report of incoming emails an...
Created by OlivierAvilez on 07-22-2019 02:45 PM
2
0
2
0
Hi all.I want to get a monthly report of incoming emails and when I do it, it only gives me four days in the csv export file, is there a way to get the full report?
Crosswork Situation Manager implementation and configuration...
Created by assanche on 07-22-2019 02:33 PM
0
0
0
0
Dear Involved, I am reading the information contained in the following links: Implement guide: https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/crosswork-network-automation/situation-manager/implementor_guide/Cisco_Crosswork_Situation_Ma... view more
Problems Using Self-Signed Certificates to Register Node
Created by s1nsp4wn on 07-22-2019 02:30 PM
1
0
1
0
I'm trying to register a 2nd node into my ISE 2.4 deployment.  I get warned that the default self-signed device cert of the other ISE node is being offered and I click accept to trust it anyways.  I get the error Unable to authenticate ISE <2... view more
AnyConnect VPN disconnects when RDP is closed
Created by Daniel Lucas on 07-22-2019 02:01 PM
0
0
0
0
Running into an issue when I RDP into a PC, and then establish a VPN connection to a customer's network. The VPN establishes fine, and I remain connected to my RDP session. I start an upload of a large file, and close the RDP session (not logoff). Later I... view more
CreatePlease to create content
Discussion
Blog
Document
Video