content filter if EXTERNAL SENDER condition | MDaemon Technologies, Ltd.

content filter if EXTERNAL SENDER condition


  • Hi All!

    I couldn't find in help the description of this condition. How does exactly it define that sender is external?



  • It compares the domains in the Return-Path, Sender, and From headers to the recipient's domain. 


  • Thank you for the answer!

    We have  the office mailboxes  in CRM, Mdaemon uses as MTA to send\receive mail from Internet. CRM is in the same LAN network with Mdaemon. Mdaemon has one mailbox all@mycompany.com with alias *@mycompany.com. CRM receives all mail from Mdaemon via IMAP and sends to Mdaemon via  SMTP with TLS and authentication. SPF, DKIM and DMARC works fine in this configuration.

    I  add the rule in content filter "if EXTERNAL SENDER and Header From contains "@mycompany.com" move message to Spam folder". I thought it will be nice to filter fishing mails, but it routes all our outgoing mail directly to spam folder. I was sure that trusted, LAN,  and authenticated SMTP means internal sender, but I was wrong. Would be great  if you add description of this feature in the Mdaemon help in next versions.


  • Sorry, just read again your answer "It compares the domains in the Return-Path, Sender, and From headers to the recipient's domain."

    and see recipient's domain, not sender domain. I dont understand how it works, could you please explain bit more with some examples?

     


  • It is compairing the domains in the Return-Path, Sender, and From headers to the domain of the person receiving the email. 

    The condition will actually flag messages anytime the domain in the Return-Path, Sender, or From headers are different than the domain of the person receiving a copy of the message.  If you apply the rule to the remote queue, it can flag messages that are being sent out. You can control this when editing the rule, click on Local & Remote queue in the rule editor and uncheck Remote Queue.

    This message is not matched by the External Sender condition.

    Fri 2023-11-03 07:34:25.533: * Message return-path: arron@localdomain.com
    Fri 2023-11-03 07:34:25.533: * Message from: arron@localdomain.com
    Fri 2023-11-03 07:34:25.533: * Message to: george@localdomain.com
    Fri 2023-11-03 07:34:25.533: * Message subject: Test 405
    Fri 2023-11-03 07:34:25.533: * Message ID: <WC20231026160357.880001@localdomain.com>
    Fri 2023-11-03 07:34:25.533: Start Content Filter results
    Fri 2023-11-03 07:34:25.537: * Matched 0 of 1 active rules

    This message is matched by the external sender condition:

    Fri 2023-11-03 07:37:39.683: * Message return-path: arron@localdomain.com
    Fri 2023-11-03 07:37:39.683: * Message from: arron@externaldomain.com
    Fri 2023-11-03 07:37:39.683: * Message to: george@localdomain.com
    Fri 2023-11-03 07:37:39.683: * Message subject: Test 406
    Fri 2023-11-03 07:37:39.683: * Message ID: <WC20231026160357.880001@localdomain.com>
    Fri 2023-11-03 07:37:39.683: Start Content Filter results
    Fri 2023-11-03 07:37:39.684: * Message matched rule: 11 "Check External Sender" (Hits: 2)
    Fri 2023-11-03 07:37:39.689: *    Action: Message moved to bad queue (this action ends further rule processing)
    Fri 2023-11-03 07:37:39.689: * Matched 1 of 1 active rules

    We can repeat the same process, changing the email address in the Return-Path, Sender, and From headers.  As long as the domain in any one of those headers does not match the domain of the recipient, then the message will be flagged by the condition.  Also, the condition is looking at the email address it is send that specific copy of the message to, in order to determine the domain of the recipient.  It is not looking at the To or CC headers.


  • I  add the rule in content filter "if EXTERNAL SENDER and Header From contains "@mycompany.com" move message to Spam folder". I thought it will be nice to filter fishing mails, but it routes all our outgoing mail directly to spam folder. I was sure that trusted, LAN,  and authenticated SMTP means internal sender, but I was wrong. Would be great  if you add description of this feature in the Mdaemon help in next versions.

    There are easier ways to protect the From header and stop people from using your domain in the From header.  The best way is to implement SPF, DKIM and DMARC for your domain and configure MDaemon to check them on all inbound email.  DMARC protects the From header. 

    You can also enable IP Shielding in MDaemon and check the box for "Check FROM header address against IP Shield." 


  • Thank you, Arron, now everything is clear. Also will check ip shield option. 


  • We want to use a content filter based on the condition "If EXTERNAL SENDER...", adding "Add a warning to the top of the message". we use two domains, MDaemon when processing emails in a local queue within a company from one domain to another, a filtering rule is triggered.


  • As I mentioned previoulsy in this thread, the condition will actually flag messages anytime the domain in the Return-Path, Sender, or From headers are different than the domain of the person receiving a copy of the message.

    If you don't want the warning being added to messages sent between two domains in MDaemon, you'll have to adjust the rules in the content filter.  The easisest way to do this is to create anothe content filter that will skip the next message if the From header contains either of your local domains.  Something like the following:

    [Rule010]
    RuleName=Skip Next Rule
    Enable=Yes
    ThisRuleCondition=Any
    ProcessQueue=LOCAL
    Condition01=FROM|contains|OR|@domain.com|@domain2.com|
    Action01=skip rule|"1"
    [Rule011]
    RuleName=Check External Sender
    Enable=Yes
    ThisRuleCondition=Any
    ProcessQueue=LOCAL
    Condition01=body|external sender|AND|
    Action01=add warning html|"External Sender Warning...."

     


  • Hello,

    So, if I have more than 50 domains in Mdaemon and I want to add the warning message only for emails outside the Mdaemon server, the only solution is to add the 50+ domains one by one in a rule like the one above?

    Thank you!

     

    Ilie Voinea


  • No.  You can use any criteria you want to check the from header.  I'd suggest trying if the From "contains a local account" then skip the next rule.  


  • @Arron 
    What does such an entry for the filter look like - "contains a local account"?


  • In the MDaemon UI go to Security / Content Filter / New. 

    Check the box for If the From header contains, in the area where the rule is built click on "Contains".  

    In the dialog where you enter the search text for the from header, in the "Currently specified settings" section, click contains again.

    In the drop down for If the From header... select "Contains a local account."

     


  • I found it, I will test with this option:

     

    Thank you!


  • I found it. Thank you!


Please login to reply this topic!