Cisco Cisco Email Security Appliance X1050 Guia De Resolução De Problemas
ESA SMTP Authentication Condition to Prevent
Spoofing
Spoofing
Document ID: 117800
Contributed by Dan Waller and Robert Sherwin, Cisco TAC Engineers.
Jun 11, 2014
Jun 11, 2014
Contents
Introduction
Prerequisites
Background Information
Create a Filter
Example Rule
Related Information
Prerequisites
Background Information
Create a Filter
Example Rule
Related Information
Introduction
This document decribes how to create a filter based on the Simple Mail Transfer Protocol (SMTP)
Authenticated user and log the username into an X−header.
Authenticated user and log the username into an X−header.
Prerequisites
Cisco recommends that you have knowledge of AsyncOS version 6.5 and later.
Background Information
The SMTP authentication function allows customers to use SMTP authentication for their clients in order to
connect to and send mail from Email Security Appliances (ESAs). Since the feature allows the authenticated
user to relay, it is possible for users to forge the "From:" field in emails that they send through the Cisco ESA.
In order to prevent users from forging, ESA AsyncOS Version 6.5 and later now contain a message filter
condition that permits comparisons against the authenticated SMTP user username and the mail From email
address.
connect to and send mail from Email Security Appliances (ESAs). Since the feature allows the authenticated
user to relay, it is possible for users to forge the "From:" field in emails that they send through the Cisco ESA.
In order to prevent users from forging, ESA AsyncOS Version 6.5 and later now contain a message filter
condition that permits comparisons against the authenticated SMTP user username and the mail From email
address.
Create a Filter
The message filter condition allows an administrator to write a filter similar to the example rule in the next
section that compares emails that are relayed outbound via an SMTP authentication session. If the SMTP
credentials are compromised, the machine that sends the emails usually generates several addresses to be used
as the mail From: header. The message filter condition only allows emails to leave if the username and mail
From: headers match. Otherwise, the email is considered a forged mail From:, and the message filter action
activates. The message filter action can be any final action; the example rule shows a quarantine action. The
filter condition has this syntax:
section that compares emails that are relayed outbound via an SMTP authentication session. If the SMTP
credentials are compromised, the machine that sends the emails usually generates several addresses to be used
as the mail From: header. The message filter condition only allows emails to leave if the username and mail
From: headers match. Otherwise, the email is considered a forged mail From:, and the message filter action
activates. The message filter action can be any final action; the example rule shows a quarantine action. The
filter condition has this syntax:
smtp−auth−id−matches("<target>" [, "<sieve−char>"])
The filter permits a comparison against one of these targets:
EnvelopeFrom: Compares the address specified in Mail From: in the SMTP conversation.
•