Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-37
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
For more information on SPF/SIDF, see
.
SMTP Authenticated User Match Rule
If your Cisco appliance uses SMTP authentication to send messages, the
smtp-auth-id-matches
(
<target> [, <sieve-char>]
)
rule can check a message’s headers and Envelope Sender against the
sender’s SMTP authenticated user ID to identify outgoing messages with spoofed headers. This filter
allows the system to quarantine or block potentially spoofed messages.
allows the system to quarantine or block potentially spoofed messages.
The
smtp-auth-id-matches
rule compares the SMTP authenticated ID against the following targets:
The filter performs matches loosely. It is not case-sensitive. If the optional sieve-char parameter is
supplied, the last portion of an address that follows the specified character will be ignored for the
purposes of comparison. For example, if the
supplied, the last portion of an address that follows the specified character will be ignored for the
purposes of comparison. For example, if the
+
character is included as a parameter, the filter ignores the
portion of the address
joe+folder@example.com
that follows the
+
character. If the address was
joe+smith+folder@example.com
, only the
+folder
portion is ignored. If the SMTP authenticated user
ID string is a simple username and not a fully-qualified e-mail address, only the username portion of the
target will be examined to determine a match. The domain must be verified in a separate rule.
target will be examined to determine a match. The domain must be verified in a separate rule.
Also, you can use the $SMTPAuthID variable to insert the STMP authenticated user ID into headers.
The following table shows examples of comparisons between the SMTP authenticated ID and email
addresses and whether they would match using the
addresses and whether they would match using the
smtp-auth-id-matches
filter rule:
Target
Description
*EnvelopeFrom
Compares the address of the Envelope Sender (also known
as MAIL FROM) in the SMTP conversation
as MAIL FROM) in the SMTP conversation
*FromAddress
Compares the addresses parsed out of the From header.
Since multiple addresses are permitted in the From:
header, only one has to match.
Since multiple addresses are permitted in the From:
header, only one has to match.
*Sender
Compares the address specified in the Sender header.
*Any
Matches messages that were created during an
authenticated SMTP session regardless of identity.
authenticated SMTP session regardless of identity.
*None
Matches messages that were not created during an
authenticated SMTP session. This is useful when
authentication is optional (preferred).
authenticated SMTP session. This is useful when
authentication is optional (preferred).
SMTP Auth ID
Sieve Char
Comparison Address
Matches?
someuser
otheruser@example.com
No
someuser
someuser@example.com
Yes
someuser
someuser@another.com
Yes
SomeUser
someuser@example.com
Yes
someuser
someuser+folder@example.com
No
someuser
+
someuser+folder@example.com
Yes
someuser@example.com
someuser@forged.com
No
someuser@example.com
someuser@example.com
Yes
SomeUser@example.com
someuser@example.com
Yes