ESA Incoming Mail Filters
ESA Incoming Mail Filters
Introduction
In this lesson, we will configure incoming mail filters on the Email Security Appliance (ESA) to block emails that contain specific strings in their content. This is crucial for preventing unwanted or harmful emails from reaching users, thereby enhancing email security in a network environment.
Quick Recap
In the previous lesson, we set up the basic configuration for our Email Security Appliance (ESA) at the IP address 192.168.101.25. This lesson will build on that foundation by introducing incoming content filters.
Step-by-step configuration
Step 1: Configure Incoming Content Filter
What we are doing: We will create an incoming content filter named IC-BOMB that blocks emails containing the string "BOMB".
1. Browse to 192.168.101.25.
2. Log in using the username: admin and password: ironport.
3. Navigate to Mail Policies -> Incoming Content Filter -> Add Filter.
4. Enter the filter name: IC-BOMB.
5. Set the condition to block messages containing "BOMB".
6. Set the action to Drop.
7. Click Submit.
8. Commit the changes by clicking the Commit Changes button.
What just happened: We created a filter that identifies emails with the specified string and drops them before they reach the recipient's inbox. This helps in mitigating risks associated with harmful content.
Verify:
show content-filters
Expected output snippet:
Filter Name Condition Action
IC-BOMB Message Body contains "BOMB" Drop
Step 2: Configure Incoming Mail Policy
What we are doing: We will create an incoming mail policy named IC-Mail-Policy that utilizes the filter we just created.
1. Navigate to Mail Policies -> Incoming Mail Policies -> Add Policy.
2. Enter the policy name: IC-Mail-Policy.
3. Set Sender: Any.
4. Set Recipient: Any.
5. Add Content Filter: IC-BOMB.
6. Click Submit.
7. Commit the changes by clicking the Commit Changes button.
What just happened: This policy applies the content filter to all incoming emails, ensuring that any email with the string "BOMB" is dropped regardless of the sender or recipient.
Verify:
show mail-policies
Expected output snippet:
Policy Name Sender Recipient Content Filters
IC-Mail-Policy Any Any IC-BOMB
Step 3: Open the ESA SSH Console
What we are doing: We will access the ESA SSH console to monitor email logs.
1. Open the SSH console.
2. Type "Tail" to start logging.
3. Type 19 to begin logging mail messages.
What just happened: This command starts the logging process, allowing us to see real-time email activity and any actions taken by the filters.
Verify:
tail -f /var/log/mail.log
Expected output snippet:
... [Log entries showing email processing] ...
Step 4: Send a Test Email
What we are doing: We will send a test email from Abc1@abc.com to nhprep1@nhprep.live to verify the filter's functionality.
From: Abc1@abc.com
To: nhprep1@nhprep.live
Subject: BOOOOOOOOOOOOO MB
Message Body:
Hello NHPrep One,
BOMB is diffused.
Regards,
ABC One
What just happened: This email is designed to trigger the filter we configured, as it contains the string "BOMB" in the message body.
Step 5: Verify the Filter Action
What we are doing: We will check the logs to confirm that the email was dropped by the filter.
tail -f /var/log/mail.log
What just happened: By reviewing the logs, we can see whether the email was processed and dropped by the IC-BOMB filter.
Verify:
tail -f /var/log/mail.log
Expected output snippet:
... [Log entry indicating the email was dropped by IC-BOMB] ...
Verification Checklist
- Check 1: The IC-BOMB filter is listed and configured correctly.
- Check 2: The IC-Mail-Policy is active and applying the filter.
- Check 3: The test email was dropped as expected.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| Filter not blocking emails | Filter not configured properly | Double-check filter conditions and actions |
| Policy not applying | Policy not committed | Ensure to click Commit Changes |
| Logs not showing expected output | Logging not started or incorrect level | Verify SSH console commands and settings |