- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-20-2020 10:56 AM
Hello experts,
Is there any way in Palo Alto to block email attachments coming from specific domain?
Lets say i want to block all email attachments which are coming from *@xyz.com. Is it possible?
04-21-2020 05:00 AM
You can easily achieve it on your mail server.
Mayur
04-21-2020 08:02 AM
Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur.
Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.
OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain.
04-20-2020 05:01 PM
You may be able to try and create a FQDN object for the domain, and allow traffic into the FW, but create a security profile for file blocking and just do not any attachments.
Using wireshark you can try and create a custom application that is looking for the domain name in the smtp or imap response headers, and create a policy to deny.
Just some ideas.
04-21-2020 04:56 AM
I am curious if below solution will be able to block incoming mails from specific domain.
Still i will give a try.
Thank you.
04-21-2020 05:00 AM
You can easily achieve it on your mail server.
Mayur
04-21-2020 08:02 AM
Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur.
Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.
OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain.
04-21-2020 08:55 AM
@BPry ,
Thank you so much for giving clarification on this. Yes i agreed now, it is better to block specific domain on our mail server/ email gateway. I will proceed with same option to do it.
Thanks to @SutareMayur also for the inputs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!