Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-44
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Issuer
The issuer is a non-empty distinguished name in the X.509 certificate. AsyncOS extracts the issuer from
the certificate and converts it to an LDAP-UTF8 Unicode string. For example:
the certificate and converts it to an LDAP-UTF8 Unicode string. For example:
•
C=US,S=CA,O=IronPort
•
C=US,CN=Bob Smith
Since X.509 certificates require the issuer field,
signed-certificate(“issuer”)
evaluates whether the
S/MIME message contains an X.509 certificate.
Escaping in Regular Expressions
LDAP-UTF8 defines a mechanism for escaping that you can use in your regular expressions. For a
detailed discussion on escaping characters in LDAP-UTF8, consult Lightweight Directory Access
Protocol (LDAP): String Representation of Distinguished Names, accessible from
detailed discussion on escaping characters in LDAP-UTF8, consult Lightweight Directory Access
Protocol (LDAP): String Representation of Distinguished Names, accessible from
http://www.ietf.org/rfc/rfc4514.txt
.
The escaping rules for the
signed-certificate
rule’s regular expressions differ from the escaping rules
defined in LDAP-UTF8 by limiting escaping to only the characters that require escaping. LDAP-UTF8
allows optional escaping for characters that can be represented without escaping. For example, the
following two strings are considered correct for “Example, Inc.” using the LDAP-UTF8 escaping rules:
allows optional escaping for characters that can be represented without escaping. For example, the
following two strings are considered correct for “Example, Inc.” using the LDAP-UTF8 escaping rules:
•
Example\, Inc.
•
Example\,\ Inc\.
However, the
signed-certificate
rule only matches
Example\, Inc.
The regular expression does not
allow escaping the space and period for matching because these characters do not require escaping, even
though it is permitted in LDAP-UTF8. When creating a regular expression for the
though it is permitted in LDAP-UTF8. When creating a regular expression for the
signed-certificate
rule, do not escape a character if it can be represented without escaping.
$CertificateSigners Action Variable
The action variable
$CertificateSigners
is a comma separated list of signers obtained from the
subjectAltName
element of the signing certificate. Multiple email addresses of a single signer will be
included in the list with duplicates removed.
For example, Alice signs a message with her two certificates. Bob signs the message with his single
certificate. All certificates are issued by a single corporate authority. After the message passes the
S/MIME scan, the extracted data contain three items:
certificate. All certificates are issued by a single corporate authority. After the message passes the
S/MIME scan, the extracted data contain three items:
[
{
'issuer': 'CN=Auth,O=Example\, Inc.',
'signer': ['alice@example.com', 'al@private.example.com']
},
{
'issuer': 'CN=Auth,O=Example\, Inc.',
'signer': ['alice@example.com', 'al@private.example.com']