Messaging Gateway

 View Only

  • 1.  Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 16, 2011 01:01 PM

    Hi all. We have Symantec Brightmail v 9.0.2

    We have some Exchange users that should only be allowed to send mail to a specific domain.

    I tried to arrange this by creating a policy rule that goes like this:

     

     

    If text in Envelope sender part of the message header contains Email address from dictionary "Restricted Senders"
                        AND If text in Envelope recipient part of the message header does not contain Domain name from dictionary "Allowed Domains"
     
    Action - Delete message
     
     
     
    Now this works fine as long as the restricted senders send a message to some other domains - their messages are blocked, no problem.
     
    But if they send a message to a bunch of domains and also include the allowed domain as a recipient - the messages is sent to everyone.
     
     
     
    Is there a better way to accomplish the restriction? Thanks!


  • 2.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 16, 2011 02:07 PM

    I see I can use regular expressions and create a construct like this:

     

    If text in Envelope recipient part of the message does not match regular expression ^.*@AllowedDomain.com$

     

    But what if there is a number of various allowed domains? I guess I would have to stack on additional conditions for each one?

     

    Also is it better to use "If text in the Envelope Recipient"  or "If text in the To/Cc/Bcc field" ?

     

    And finally if I do this, I think I will have another, opposite side effect:   if the sender sends mail to a bunch of recipients, some in the allowed domains and some in other domains, then NO ONE will receive the message, even the allowed recipients. Right?  I think Brightmail will look at the message and say "hmmm... I see some recipients that don't match, I am going to block the message as a whole"



  • 3.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 16, 2011 03:23 PM

    So I set up a rule with these conditions:

     

     

    If text in Envelope sender part of the message header contains Email address from dictionary "Restricted Senders"
       \ AND If text in Envelope recipient part of the message does not match regular expression "^.*@AllowedDomain01\.com$"
       \ AND If text in Envelope recipient part of the message does not match regular expression "^.*@AllowedDomain02\.com$

     

    Works great. But there is another side effect, as I predicted:

     

    When message is sent to a someone@AllowedDomain01.com; someoneelse@AllowedDomain02.com; somebody@SomeRandomDomain.com - the message is blocked as a whole and NO ONE receives it.



  • 4.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 16, 2011 03:27 PM

    Nope. Can't.  It's all or nothing on message verdicts.  I suggest that you look at using incident quarantine and a different verdict

     

    e.g.

    verdict

    - hold message in incident queue "invalid recipient domains"  and

    - send notification "invalid recipient domain" to sender.

     

    The incident queue would let you (or someone in authority) to review and either release or delete the message.  The notification would let the sender know that they can't send to some domains.    This way you give them feedback and let them know the boss is watching.  And you get to find out what the message is aboutl.



  • 5.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 16, 2011 10:50 PM

    Thanks, but even with the incident quarantine it is all or nothing, right?

    If I review the message and consider it is OK to be released, it will be released to all the recipients, right?

     



  • 6.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 17, 2011 05:26 PM

    Right.



  • 7.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 18, 2011 06:53 PM

    Hi Andrey,

    Have you checked this article?

    http://www.symantec.com/business/support/index?page=content&id=TECH132568

    Thank you,
    Marco Bicca



  • 8.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 18, 2011 08:51 PM

    Marco,  is it the fact that you are limiting the MTA to single addressee delivery that forces the evaluation on a per-receipient message?

     

    Scenario (2)

    6. Change "Maximum number of recipients per message" to "1".  NOTE: Default is 1024

    This would imply that the MTA is splitting the message to recipients, and then doing policy evaluation.  Correct?

    Isn't there a significant side effect of causing all messages to a recipient domain to be delivered one recipient at a time? THat could slow delivery if muliple addressees are common in your mail flow. It also means that if the you'll use <recipient> times the bandwidth for each message.

    Does the MTA connect, send a message, RSET, send a message.  Or does it connect, send a message, DISCONNECT, CONNECT, send a message?

    I suspect the latter (disconnect) will drive sites like Yahoo crazy with their connection throttling.  I've seen MTAs that Disconnect/Connect when they hit recipient count limits.



  • 9.  RE: Need to allow certain users to ONLY send mail to a specific domain

    Posted Mar 19, 2011 12:28 AM

    Thanks, haven't see that article before.

     

    Sounds like a nice option, but I am aslo concerned whether this would impact performance.