Is there a way to always enforce SPX encryption based on the "from" email address?
Looking for a solution that will not require the user to add a custom header or type a particular word or phrase.
This thread was automatically locked due to age.
Interesting question, Jamie! Interesting suggestion, Louis!
I wonder if everything after the DATA command is checked for the expression. If so, then only the Sender and Recipient (To) would be ignored and the From, Cc and Bcc fields would be checked along with the Subject and the body of the email. Please let us know the result of your test!
Cheers - Bob
Bob, I think your correct, its only subject and data. I don't know where the attachments fit in, but what ticks me off is when you look at an email, the plain text that is, you see the things I tried to use to trigger the SPX encryption below... As far as I can tell, the ENTIRE email is put somewhere, then scanned by a "worker" to see if it matches any of the SPX triggers...
Ultimately, I gave up on the UTM matching the triggers word(s)/phrases, and as far as I can tell, SPX filtering does not work except for body and Subject, but only subject if you start the string with ^
I had the illusion that PCRE worked, but that does not appear to be entirely true either. Maybe I did something incorrectly, but I don't think I did...
I ultimately gave up after wasting an entire day trying to figure this out.
My solution was to use Postfix on their internal mail server to prepend the X-Sophos-SPX-Encryption header to an email if the sender's email address matched my criteria.
*Boring details below*
My specific need was to guarantee any email sent from a specific computer would always be run through SPX. Anything that was not plain english word(s) or phrases, aka "normal" PCRE, was not consistent at triggering the SPX system. Same email, literally, sent more than once, most of the time it was triggered, but was not 100% on triggering.
As for attachments, yes I had the box checked, and simple things like word, pdf, rtf, txt, etc. would trigger SPX encryption if a "trigger" word was in the file.
Now, try doing that with a Dicom image. There are some things that will always be at the beginning of a Dicom file, ("attributes" of the file), such as the device that made the image, the letters DICM seemed to be another constant I found, yet the SPX system would not pick them up unless they were in the body or subject...
Sorry for ranting, I just think this should be a simple matter.
Feature request: (this should have been thought of, we shouldn't have to ask for it)
Ability to "trigger" SPX encryption by the who (as in email address, or IP) sent the email.
Feature Request 2: Sophos, figure out if your going to actually support PCRE or just some subset, if only a subset, PLEASE don't give the illusion that you can use regular expressions.
When I think of PCRE, I think of things like this: /dicm/i
Better yet, create a webpage where people can type in what they want, either in plain text, or PCRE and give the equivalent string that you (Sophos) require.
Lastly, CLEARLY DEFINE IN THE HELP on the UTM what is supported and what is not... Do you search the mail headers? Will you match on the attachment name, how about just the extension?
Thats the one that got me the most, the ONLY way to match an attachment is to have the entire name of the attachment in your custom criteria. Partials would not match.
When I called support, I got nowhere. I got a level one person that understood they needed to escalate it, but then nothing.
I'm just going to shut up and get off my soapbox now, but hopefully you get where I am coming from...
So, Jamie, using ^From: someone@mycompany.com does not trigger SPX encryption if added as a 'Custom Expression'?
Cheers - Bob
From what I recall, you are correct, I was unable to get that to work.
Its been a bit now, I am sure I don't remember everything I tried, but I do remember trying that. I also cannot remember right now what the OS version was at the time.
If you are able to make that work, I will figure out what OS version it was at the time of the tests I did. I normally would go back and test it again after this recent update, but I have many things to get done this month and not that working many days left to do them...
I haven't been able to make that work since sometime in V7, Jamie. I was hoping you would tell me otherwise.
Cheers - Bob
