The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes an in-depth analysis of the Gold Configuration provided for Cisco Secure Email Cloud Gateway.
Cisco recommends that you know these topics:
The information in this document is from the gold configuration and best practice recommendations for Cisco Secure Email Cloud customers and administrators.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This document is also applicable with:
Quarantines are configured and maintained on the Email and Web Manager for Cisco Secure Email Cloud customers. Please log in to your Email and Web Manager to view the quarantines:
Warning: Any changes to configuration(s) based on the best practices as provided in this document need to be reviewed and understood before you commit your configuration changes in your production environment. Please consult your Cisco CX Engineer, Designated Service Manager (DSM), or Account Team before configuration changes.
The Gold Configuration for Cisco Secure Email cloud customers is the best practice and zero-day configuration for both the Cloud Gateway and the Cisco Secure Email and Web Manager. Cisco Secure Email Cloud deployments use both Cloud Gateway(s) and at least one (1) Email and Web Manager. Parts of the configuration and best practices direct administrators to use quarantine(s) located on the Email and Web Manager for centralized management purposes.
Mail Policies > Recipient Access Table (RAT)
The Recipient Access Table defines which recipients are accepted by a public listener. At a minimum, the table specifies the address and whether to accept or reject it. Please review the RAT to add and manage your domains as needed.
Network > SMTP Routes
If the SMTP route destination is Microsoft 365, please see Office365 Throttling CES New Instance with "4.7.500 Server busy. Please try again later".
The services listed are configured for all Cisco Secure Email Cloud customers with the values provided:
IronPort Anti-Spam (IPAS)
URL Filtering
Graymail Detection
Outbreak Filters
Advanced Malware Protection > File Reputation and Analysis
Message Tracking
Users (System Administration > Users)
Log Subscriptions (System Administration > Log Subscriptions)
Additional services to review and consider:
System Administration > LDAP
URL Defense
SPF
exists:%{i}.spf.<allocation>.iphmx.com
Note: Ensure the SPF record ends with either ~all or -all. Validate the SPF records for your domains before and after any changes!
Additional SPF Examples
v=spf1 mx a:mail01.yourdomain.com a:mail99.yourdomain.com ~all
v=spf1 mx exists:%{i}.spf.<allocation>.iphmx.com ~all
v=spf1 exists:%{i}.spf.<allocation>.iphmx.com ip4:192.168.0.1/16 ~all
Anti-Spoof Filter
Add Header Filter
addHeaders: if (sendergroup != "RELAYLIST")
{
insert-header("X-IronPort-RemoteIP", "$RemoteIP");
insert-header("X-IronPort-MID", "$MID");
insert-header("X-IronPort-Reputation", "$Reputation");
insert-header("X-IronPort-Listener", "$RecvListener");
insert-header("X-IronPort-SenderGroup", "$Group");
insert-header("X-IronPort-MailFlowPolicy", "$Policy");
}
HAT Overview > Additional Sender Groups
In the predefined SUSPECTLIST sender group
Aggressive HAT Sample
Note: The HAT examples show additionally configured Mail Flow Policies (MFP). For complete information for MFP, please refer to "Understanding the Email Pipeline > Incoming/Receiving" in the User Guide for the appropriate version of AsyncOS for the Cisco Secure Email Gateway you have deployed.
HAT example:
Default Policy Parameters
Security Settings
Note: DMARC requires additional tuning to configure. For further information on DMARC, please refer to "Email Authentication > DMARC Verification" in the User Guide for the appropriate version of AsyncOS for the Cisco Secure Email Gateway you have deployed.
Default Policy is configured similar to:
Anti-Spam
Anti-Virus
AMP
Graymail
Content Filters
Outbreak Filters
Policy Names (shown)
BLOCKLIST mail policy is configured with all services disabled, except Advanced Malware Protection, and links to a content filter with the action of QUARANTINE.
The ALLOWLIST mail policy has Antispam, Graymail disabled and Content Filters enabled for URL_QUARANTINE_MALICIOUS, URL_REWRITE_SUSPICIOUS, URL_INAPPROPRIATE, DKIM_FAILURE, SPF_HARDFAIL, EXECUTIVE SPOOF, DOMAIN_SPOOF, SDR, TG_RATE_LIMIT, or content filters of your choice and configuration.
The ALLOW_SPOOF mail policy has all default services enabled, with Content Filters enabled for URL_QUARANTINE_MALICIOUS, URL_REWRITE_SUSPICIOUS, URL_INAPPROPRIATE, SDR, or content filters of your choice and configuration.
Default Policy is configured similar to:
Anti-Spam
Anti-Virus
Advanced Malware Protection
Graymail
Content Filters
Outbreak Filters
DLP
Note: For additional information on Content Filters, please refer to "Content Filters" in the User Guide for the appropriate version of AsyncOS for the Cisco Secure Email Gateway you have deployed.
URL_QUARANTINE_MALICIOUS
Condition: URL Reputation; url-reputation(-10.00, -6.00 , "bypass_urls", 1, 1)
Action: Quarantine: quarantine("URL_MALICIOUS")
URL_REWRITE_SUSPICIOUS
Condition: URL Reputation; url-reputation(-5.90, -5.60 , "bypass_urls", 0, 1)
Action: URL Reputation; url-reputation-proxy-redirect(-5.90, -5.60,"",0)
URL_INAPPROPRIATE
Condition: URL Category; url-category (['Adult', 'Child Abuse Content', 'Extreme', 'Hate Speech', 'Illegal Activities', 'Illegal Downloads', 'Illegal Drugs', 'Pornography', 'Filter Avoidance'], "bypass_urls", 1, 1)
Action: Quarantine; duplicate-quarantine("INAPPROPRIATE_CONTENT")
DKIM_FAILURE
Condition: DKIM Authentication; dkim-authentication == hardfail
Action: Quarantine; duplicate-quarantine("DKIM_FAIL")
SPF_HARDFAIL
Condition: SPF Verification; spf-status == fail
Action: Quarantine; duplicate-quarantine("SPF_HARDFAIL")
EXECUTIVE_SPOOF
Condition: Forged Email Detection; forged-email-detection("Executive_FED", 90, "")
Condition: Other Header; header("X-IronPort-SenderGroup") != "(?i)allowspoof"
* set Apply rule: Only if all conditions match
Action: Add/Edit Header; edit-header-text("Subject", "(.*)", "[EXTERNAL]\\1")
Action: Quarantine; duplicate-quarantine("FORGED_EMAIL")
DOMAIN_SPOOF
Condition: Other Header; header("X-Spoof")
Action: Quarantine; duplicate-quarantine("ANTI_SPOOF")
SDR
Condition: Domain Reputation; sdr-reputation (['awful'], "")
Condition: Domain Reputation; sdr-age ("days", <, 5, "")
* set Apply rule: If one or more conditions match
Action: Quarantine; duplicate-quarantine("SDR_DATA")
TG_RATE_LIMIT
Condition: Other Header; header("X-TG-RATELIMIT")
Action: Add Log Entry; log-entry("X-TG-RATELIMIT: $filenames")
BLOCKLIST_QUARANTINE
Condition: (None)
Action: Quarantine; quarantine("BLOCKLIST")
TG_OUTBOUND_MALICIOUS
Condition: Other Header; header("X-TG-OUTBOUND") == MALWARE
Action: Quarantine; quarantine("TG_OUTBOUND_MALWARE")
Strip_Secret_Header
Condition: Other Header; header("PLACEHOLDER") == PLACEHOLDER
Action: Strip Header; strip-header("X-IronPort-Tenant")
EXTERNAL_SENDER_REMOVE
Condition: (None)
Action: Add/Edit Header; edit-header-text("Subject", "\\[EXTERNAL\\]\\s?", "")
ACCOUNT_TAKEOVER
Condition: Other Header; header("X-AMP-Result") == (?i)malicious
Condition: URL Reputation; url-reputation(-10.00, -6.00 , "", 1, 1)
*Set Apply Rule: If one or more conditions match
Action: Notify;notify ("<Insert admin or distro email address>", "POSSIBLE ACCOUNT TAKEOVER", "", "ACCOUNT_TAKEOVER_WARNING")
Action: duplicate-quarantine("ACCOUNT_TAKEOVER")
For Cisco Secure Email Cloud customers, we do have example content filters included within the gold configuration and best practice recommendations. In addition, please review the "SAMPLE_" filters for more information on conditions and actions associated that can be beneficial in your configuration.
Cisco Live hosts many sessions globally and does offer in-person sessions and technical breakouts that cover Cisco Secure Email best practices. For past sessions and access, please visit Cisco Live (requires CCO login):
Cisco Email Security: Best Practices and Fine Tuning - BRKSEC-2131
If a session is unavailable, Cisco Live reserves the right to remove it due to the age of the presentation.
Revision | Publish Date | Comments |
---|---|---|
3.0 |
31-Jul-2022 |
Update of latest Gold Configuration values, rewording to meet publishing criteria, update of links and references. |
1.0 |
15-May-2017 |
Initial Release |