Cisco Email Security Appliance

How do I create a content filter that applies to *all* incoming or outgoing mail ... ?

Document ID: 117901

Updated: Jul 08, 2014

Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.



How do I create a content filter that applies to *all* incoming or outgoing mail, and not just a specific group of senders or recipients?

There are several ways of accomplishing what you want to do. If you want to apply a filter to all incoming mail (for example) or all outgoing mail, you can do this either as a message filter or a content filter.

Content filters are applied as the last Policy processing step in the email pipeline - after messages have been 'splintered' into separate copies depending on the Mail Policies (and therefore different recipient groups) defined in your configuration.  Because of this, Content Filters can be applied to a more finely-grained grouping of senders or recipients.

It is important to remember that content filters are managed by the GUI on the Mail Policies->Incoming Content Filters or Mail Policies->Outgoing Content Filters page.

The (true) syntax in the following filter example:

if (true)

causes all instructions / statements included in the {}'s to be executed every time the filter is applied.

After creating the filter, you must apply it to Incoming Mail Policies for it to take effect.  Note that there are two options here: one is to place the filter in the Default policy, the other is to replicate it in all policies.  If you place the filter in the Default Policy, any other policy which is set to (use default) will also have the filter applied.  If you have policies that do not use the default content filters, you will have to edit each one to include the filter.

Aside: in a long list of content filters, it's a nice shortcut to define the order of a newly created content filter as "1" so that it can quickly be added to all policies (and be executed first). Order matters...

Another way to filter incoming mail is with a message filter.  Message filters are applied as the first Policy processing step in the ESA email pipeline.  When a Message Filter is applied, its actions apply to all recipients of the message (i.e. if the action is Drop, then no recipient will receive the message, even if the rule which matched the message matched only one recipient.)

A message filter to act on all incoming mail needs to be qualified by the received listener, to distinguish it from outgoing mail:

if (recv-listener == "InboundMail") {
  drop-attachments-by-filetype ('Executable');

If you want a filter to apply to both incoming and outgoing traffic, you also have two options.  One is to use mail policies in the GUI; the other is to create a message filter in the CLI.

Mail policies and content filters are divided into Incoming and Outgoing policies.  To create a Content Filter that will apply to all mail, you must create the same filter in both the Incoming and Outgoing Content Filters.  Then, in each and every Mail Policy, in both Incoming and Outgoing Policies, you must enable that Content Filter - either by inheriting it from the Default policy, or by enabling it in the content filters of that policy.

A more efficient way to apply a filter to all mail would be as a message filter.  Message filters are applied to every message before messages are splintered into the different incoming or outgoing policy groups.  Therefore it is faster to apply the filter to one copy of the message as a message filter.  A simple modification of the message filter example above will apply it to all messages, not just messages received on the inbound mail listener:

if (true) {
  drop-attachments-by-filetype ('Executable');

If you would like some help from the GUI in designing your filter, you can write it as a content filter first, then view the "filter syntax" and copy that into your message filters.  For example, if you define a filter on Incoming Content Filters, you can then click the "Rules" link of the content filters list to see the actual message filter syntax.  Copy that down or copy it to your edit buffer, then switch to a terminal emulator session and begin configuring message filters.  When you get to the point where you need to enter the message filter, you can use the same syntax.  Message filters are created with the CLI 'filters' command.

Updated: Jul 08, 2014
Document ID: 117901