Cisco ESA: Mail Flow for Encryption Appliances

The Cisco Email Security Appliance (ESA) is well-known for its very good Anti-Spam features. But it completely lacks a usable implementation for mail encryption with S/MIME or OpenPGP. That is: We are using other appliances for that such as Zertificon, SEPPmail, or totemo.

However, the Cisco ESA still remains the main MTA for incoming and outgoing mails, hence mails must be routed to the encryption appliance of your choice for signing/encrypting (outgoing) or verifying/decrypting (incoming) mails. Such mail routings should be done with CLI-only message filters, rather than content filters. Here we go:

Why Message Filter?

Message filters are processed before the email security manager with all of its components such as Anti-Spam, Anti-Virus, AMP, and so on. Using message filters here gives the chance to alter the mail flow even before Anti-Spam kicks in. This results in a good mail flow design since checking a fully encrypted mail for Spam is ridiculous. ;) That’s why you should not use content filters that are executed after that Anti-xyz stuff for these scenarios.

Mail Flow Design

There are many different possible mail flow designs. My goal was to unambiguously receive mails from the encryption appliance. I wanted to have different firewall policies between the appliances matching the SMTP sessions exactly along the path. You can either use

  • own IP Interfaces (that is: Layer 3 addresses on Ethernet ports),
  • own Listeners (that is: using an already available IP Interface but with a different listening port), or
  • nothing of those two methods, but filter only for the sending remote-ip.

I personally prefer the second one: own listeners for the encryption appliance. That is: I am using two more listeners on port 2525 of the original Incoming/Outgoing interfaces aka IP addresses. Here’s a sketch:

Cisco ESA Configuration

So here we go: 1) The new “L_Securemail_Incoming” listener of type public on the If_Incoming IP address but with listening port 2525. The RAT default action is “Accept” (since it will only receive already accepted mails) and the HAT WHITELIST has a single sender of the IP address of the encryption appliance. Spam detection and virus protection is enabled since this is the first point at which the ESA sees the mail in plaintext.

2) The new “L_Securemail_Outgoing” listener of type private on the If_Outgoing IP address but with TCP port 2525 again. This time, the HAT RELAYLIST gets a single sender with the IP address of the encryption appliance again. Spam detection and virus protection is turned off (!) since this listener receives already checked mails (in the first place) while they are likely encrypted.

3) The message filter for incoming mail. In fact, I am using three distinct message filters for it with different kinds of conditions. All are forwarding the mail to the encryption appliance from the If_Incoming interface, adding a log-entry, and skipping all checks:

4) The message filter for outgoing mail. A little easier:

If you want to limit the mail flow for certain Active Directory groups, you can use the filter condition (mail-from-group == "NameOfTheGroup").

Reminder: To add the message filter, you have to log into the ESA via SSH. The CLI commands are as follows:

To view the message filters, type LIST or DETAIL, followed by the number of the filters. And don’t forget to commit at the end.

That’s it. ;) Happy mail flowing. God’s blessing!

Photo by Maksym Tymchyk on Unsplash.

One thought on “Cisco ESA: Mail Flow for Encryption Appliances

  1. Excellent guide. Thanks for publishing it.

    I have never seen anyone using message filters with the three ways to identify encrypted mails but it seems to be a pretty good way to prevent unnecessary hops in the mail routing of unencrypted mails.

    Depending on the percentage of encrypted vs. unencrypted mails you could still send ALL inbound mails to the encryption appliance.
    It could help to reduce the complexity of the message filters as you would only need to filter for recv-listener.

Leave a Reply

Your email address will not be published. Required fields are marked *