Block email attachment from specific domain

Reply
Highlighted
L2 Linker

Block email attachment from specific domain

Hello experts,

 

Is there any way in Palo Alto to block email attachments coming from specific domain?

Lets say i want to block all email attachments which are coming from *@xyz.com. Is it possible?


Accepted Solutions
Highlighted
L5 Sessionator

Re: Block email attachment from specific domain

You can easily achieve it on your mail server.

 

Mayur



Mayur Sutare

View solution in original post

Highlighted
Cyber Elite

Re: Block email attachment from specific domain

@Vikashh,

Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur

Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.

 

OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain. 

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Block email attachment from specific domain

You may be able to try and create a FQDN object for the domain, and allow traffic into the FW, but create a security profile for file blocking and just do not any attachments.

 

Using wireshark you can try and create a custom application that is looking for the domain name in the smtp or imap response headers, and create a policy to deny.

 

Just some ideas.

Help the community: Like helpful comments and mark solutions
Highlighted
L2 Linker

Re: Block email attachment from specific domain

I am curious if below solution will be able to block incoming mails from specific domain.

Still i will give a try.

 

Thank you.

Tags (1)
Highlighted
L5 Sessionator

Re: Block email attachment from specific domain

You can easily achieve it on your mail server.

 

Mayur



Mayur Sutare

View solution in original post

Highlighted
Cyber Elite

Re: Block email attachment from specific domain

@Vikashh,

Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur

Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.

 

OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain. 

View solution in original post

Highlighted
L2 Linker

Re: Block email attachment from specific domain

@BPry ,

 

Thank you so much for giving clarification on this. Yes i agreed now, it is better to block specific domain on our mail server/ email gateway. I will proceed with same option to do it.

 

Thanks to @SutareMayur also for the inputs. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!