Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
1
Helpful
4
Replies

Send a copy of every incoming/outgoing message to another host

Michael Eriksson
Level 1
Level 1

‎03-28-2024 12:51 AM

Hi,

I wonder if there is a way to send every incoming and outgoing message both to the original destination and to another destination for analyses. Preferably before any scanning or policies interfere.

I've tried google, but have not come up with anything yet. Will continue searching, but hope it is a good chance that the answer could be found in this community.

Regards

Michael

Labels:
0 Helpful
4 Replies 4

prrprasa
Cisco Employee
Cisco Employee

‎03-28-2024 02:00 AM

Hi Michael,

To save the messages before its processed or scanned by the policies, this can be achieved by using the message filters, you can use the archive filter to save the copy of the message:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_01000.html#con_1133841

Gopinath_Pigili
Spotlight
Spotlight

‎03-28-2024 02:36 AM - edited ‎03-28-2024 06:45 AM

hi

0 Helpful

Pulkit Mittal
Level 1
Level 1

‎03-28-2024 03:54 AM

You have the option to set up a content filter for incoming, outgoing, or both types of emails. Within this filter, you can specify the action as bcc (blind carbon copy).

Here are some key points to consider:

  1. Bcc Action:

    • When using the bcc action, you need to provide an email address where the email content will be copied.

  2. Redirecting Emails to another Appliance:

    • If your intention is to redirect the original emails to the a different appliance and then deliver them to the recipient:
      • You’ll need to update the SMTP routes to point to that appliance.
      • This ensures that the emails pass through that system for any necessary security checks before reaching their final destination.

Remember to configure these settings carefully to achieve the desired email flow and security measures!

If you find this useful, please mark it helpful and accept the solution.

0 Helpful

Ken Stieers
VIP
VIP

‎03-28-2024 06:43 AM

This is based on what we do for the beta testing program where you stand up another set of ESAs with newer code, and they get a copy of all of your mail.
In that case we split inbound/outbound but you don't need that. The bounce profile/destination control keeps NDRs from being sent in the event that where you're sending the mails is down.

Note this will only send mail that is accepted for processing on the ESA. If the mail is dropped by SBRS reputation score, or LDAP accept query that is acting during the SMTP conversation, this won't get it.


1. Add an SMTP route for "monitoring.yourdomainname.com" with the IP of the destination
2. Create a bounce profile for this traffic
* From the GUI, navigate to Network > Bounce Profiles > Add Bounce Profile.
* Profile Name: Monitoring_BOUNCE
* Maximum Number of Retries: 15
* Maximum time in Queue: 130
* Initial time to wait per Message: 60
* Maximum time to wait per Message: 60
* Send Hard bounce Messages: NO
* Send Delay Warning Messages: NO
* Use Domain Key Signing for Bounce and Delay Messages: NO
* Submit to save the changes to this new Bounce Profile.
* Commit to save all changes to the configuration
3. Set a destination control for this traffic
* From the GUI, navigate to Mail Policies > Destination Controls > Add Destination.
* Destination: monitoring.yourdomainname.com
* Bounce Verification: > Perform address tagging: NO > or Default (NO)
* Bounce Profile: Monitoring_BOUNCE
* The other values may be configured based on the administrator's preference.
* Submit to save the changes to this new Destination Control Profile.
* Commit to save all changes to the configuration.
4. From the CLI on the ESA appliance, run filters > new and add a message filter to copy mail to the appropriate listener on the monitoring destination:
bcc-monitoring:
bcc ("$enveloperecipients", "$Subject", "$EnvelopeFrom", "monitoring.yourdomain.com");

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful
Customers Also Viewed These Support Documents