How do I match the Sender Group "ALL" with a message filter?

Available Languages

Updated:December 26, 2017
Document ID:212588

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This article describes how to match the Sender Group "ALL" with a message filter and verifying that it's filtering on the Email Security Appliance (ESA).                                                                          

    Background Information

    The requirement to take action for messages matching into the "ALL" Sender Group as indicated in the table below and when the message filter condition of "(sendergroup =="ALL")" does not return a positive match. This behaviour is due to the fact that the connection did not match any of the defined Sender Groups. Hence, it is considered as "none". In order to detect messages matching into "ALL" Sender Group, a message filter can be configured.

    212588-how-do-i-match-the-sender-group-all-wi-00.png

    How do I match the Sender Group "ALL" with a message filter and verify the filter action?

    Note: The Sender Group condition can only be configured with message filters in the CLI of the ESA.

    Creating the message filter

    The message filter syntax to take action on messages matching "ALL" Sender Group:

    DEFAULT_Sendergroup:
    if (sendergroup == "none")
    {
    log-entry("Default Sender Group ALL matched");
    }
    .

    or

    DEFAULT_Sendergroup:
    if (sendergroup == "")
    {
    log-entry("Default Sender Group ALL matched");
    }
    .

    Verifying the filter action

    Emails matched against this message filter will be indicated in the mail_logs or Message Tracking.

    An excerpt of a mail_log example:

    Thu Nov 23 22:37:44 2017 Info: New SMTP ICID 109 interface Management (10.10.10.1) address 10.10.10.12 reverse dns host unknown verified no
    Thu Nov 23 22:37:44 2017 Info: ICID 109 ACCEPT SG None match ALL SBRS rfc1918 country not applicable
    Thu Nov 23 22:37:51 2017 Info: Start MID 329 ICID 109
    Thu Nov 23 22:37:51 2017 Info: MID 329 ICID 109 From: <user@example.com>
    Thu Nov 23 22:37:56 2017 Info: MID 329 ICID 109 RID 0 To: <testrecipient@cisco.com>
    Thu Nov 23 22:38:04 2017 Info: SenderBase upload: 1 hosts totaling 3542 bytes
    Thu Nov 23 22:38:25 2017 Info: MID 329 Message-ID '<68aa4b$a9@adesa3.cisco.com>'
    Thu Nov 23 22:38:25 2017 Info: MID 329 Subject 'SenderGroup Test - None'
    Thu Nov 23 22:38:25 2017 Info: MID 329 ready 140 bytes from <user@example.com>
    Thu Nov 23 22:38:25 2017 Info: MID 329 Custom Log Entry: Default Sender Group ALL matched
    Thu Nov 23 22:38:25 2017 Info: MID 329 matched all recipients for per-recipient policy DEFAULT in the inbound table
    Thu Nov 23 22:38:25 2017 Info: Delivery start DCID 0 MID 329 to RID [0]
    Thu Nov 23 22:38:25 2017 Info: Message finished MID 329 done
    Thu Nov 23 22:38:28 2017 Info: ICID 109 close

    For additional information about message filters, see the Advanced Configuration Guide.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    26-Dec-2017
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Gagan Kumar J
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products