Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
10-3
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 10 Mail Policies
Matching Users to a Mail Policy
Having separate sets of policies allow you to define different security rules for messages sent to your
users and messages sent from your users. You manage these policies using the Mail Policies > Incoming
Mail Policies or Outgoing Mail Policies pages in the GUI, or the
users and messages sent from your users. You manage these policies using the Mail Policies > Incoming
Mail Policies or Outgoing Mail Policies pages in the GUI, or the
policyconfig
command in the CLI.
Note
Data Loss Prevention scanning can only be performed on outgoing messages.
Note
In certain installations, “internal” mail being routed through the Cisco appliance may be considered
outgoing, even if all the recipients are addressed to internal addresses. For example, by default for Cisco
C160/170 customers, the system setup wizard will configure only one physical Ethernet port with one
listener for receiving inbound email and relaying outbound email.
outgoing, even if all the recipients are addressed to internal addresses. For example, by default for Cisco
C160/170 customers, the system setup wizard will configure only one physical Ethernet port with one
listener for receiving inbound email and relaying outbound email.
Matching Users to a Mail Policy
As messages are received by the appliance, the Email Security appliance attempts to match each message
recipient and sender to a mail policy in the Incoming or Outgoing Mail Policies table, depending on
whether it is an incoming or outgoing message.
recipient and sender to a mail policy in the Incoming or Outgoing Mail Policies table, depending on
whether it is an incoming or outgoing message.
Matches are based on either the recipient’s address or the sender’s address:
•
Recipient address matches the Envelope Recipient address
When matching recipient addresses, the recipient addresses entered are the final addresses after
processing by preceding parts of the email pipeline. For example, if enabled, the default domain,
LDAP routing or masquerading, alias table, domain map, and message filters features can rewrite
the Envelope Recipient address and may affect whether the message matches a mail policy.
processing by preceding parts of the email pipeline. For example, if enabled, the default domain,
LDAP routing or masquerading, alias table, domain map, and message filters features can rewrite
the Envelope Recipient address and may affect whether the message matches a mail policy.
•
Sender address matches:
–
Envelope Sender (RFC821 MAIL FROM address)
–
Address found in the RFC822 From: header
–
Address found in the RFC822 Reply-To: header
Addresses may be matched on either a full email address, user, domain, or partial domain, and addresses
may also match LDAP group membership.
may also match LDAP group membership.
First Match Wins
Each user (sender or recipient) is evaluated for each mail policy defined the appropriate mail policy table
in a top-down fashion.
in a top-down fashion.
For each user, the first matching policy wins. If a user does not match any specific policy, user will
automatically match the default policy of the table.
automatically match the default policy of the table.
If a match is made based on a sender address, all remaining recipients of a message will match that
policy. (This is because there can be only one sender per message.)
policy. (This is because there can be only one sender per message.)
Examples of Policy Matching
The following examples help show how the policy tables are matched in a top-down fashion.