Posts Tagged ‘mimecast’

Many internal companies use Newsletter services such as Mailchimp to email out internal newsletters. The From Address of this is usually an internal email address which means it will get rejected by the anti spoofing policy

Option 1

In Mimecast Administration Panel go to : 

Administration -> Gateway -> Policies -> Anti Spoofing SPF based Bypass

  1. Add the following Policy, this will only whitelist IP’s in your SPF Record,  so putting servers.mcsv.net will not work , you will also have to put “ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.0.0/16” in your SPF record. If your SPF is over 255 characters : try option 2

 

Option 2

Administration -> Gateway -> Policies -> Anti Spoofing

Add the policy below , you can get a list of IP’s Mailchimp user here

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Great a Computer Configuration Group Policy Object for Windows Firewall per below

Whitelist the below files Inbound and Outbound

C:\program files\mimecast\mimecast windows service\msddsk.exe ( 32 bit ) 

C:\program files (x86)\mimecast\mimecast windows service\msddsk.exe  ( 64 bit ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a email came in from a third party which wasn’t blocked by the Impersonation Protection

Administration > Gateway > Policies > Impersonation Protection Definitions  

Default Impersonation Protection for Mimecast 

  • Similar Internal Domain (Similarity Distance 2 ) 
  • Newly Observed Domain ( Checked ) 
  • Internal User Name ( Checked ) 
  • Reply-to Address Mismatch ( Uncheck ) 
  • Targeted Threat Dictionary ( Checked ) 
  • Mimecast Threat Dictionary ( Checked ) 
  • Number of Hits : 2
  • Ignore Signed Messages ( Unchecked ) 

For executives, particularly those who are disclosed on the company website I recommend implementing a hit score of 1 on emails with their name as a display name. 

Exec Impersonation Protection

  • Similar Internal Domain  ( Checked ) 
  • Newly Observed Domain  ( Checked ) 
  • Internal User name  ( Checked ) 
  • Number of Hits: 1 

Administration > Gateway > Policies > Impersonation Protection > New Policy 

Selection Option: Choose the new definition that was just created 
Addresses based on: Both 
Applies from: Header Display Name 
Specifically: INSERT NAME 
Applies To: Internal Addresses 
Save and Exit 

I would advise that display name checks are in place all high profile targets, particularly those disclosed on the company website or other public sources. You also may want to consider alternative spellings. An individual policy is required for each display name. 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a customer stop being able to send items to Mimecast with the following 

554 Email rejected due to security policies - https://community.mimecast.com/docs/DOC-1369#554

This was happening to Multiple emails and Mimecast Logs showed : Bounce – Message content not accepted

So something generic in the content was causing this

Generic would be email signatures and Links in email signatures are usually the cause, removing one of the domains in the email signature fixed this , we lodged a Support case with Mimecast who removed this domain from their blocklist

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Mimecast Guide

Azure Microsoft Guide

Create a Distribution Group in Office 365, this will be to Add the users to you want enable SSO on , add Users 

Make sure Mimecast is Synced with Office365 AD – Services -> Directory Synchronization ( Connect to 365 ) 

Perform manual sync in Mimecast to download user and group

Azure

On Azure – Got o Azure Active Directory, All Application find:  Mimecast Personal Portal

Next Single Sign-On

Sign on URL : https://au-api.mimecast.com/login/saml

Identifier : https://au-api.mimecast.com/sso/%Customer ID% per Mimecase User Guide

Reply URL : https://au-api.mimecast.com/login/saml

User Identifier : user.mail

Azure AD Properterties : User assignment  required No 

Mimecast

Configuring Mimecast-Personal-Portal for single sign-on

1.In a different web browser window, log into your Mimecast Personal Portal as an administrator.

2.Go to Services > Applications.

3.Click Authentication Profiles.

4.Click New Authentication Profile.

5.In the Authentication Profile section, perform the following steps:

a. In the Description textbox, type a name for your configuration.

b. Select Enforce SAML Authentication for Mimecast Personal

c. As Provider, select Azure Active Directory.

d. In Issuer URL textbox, paste the value of Azure AD SAML Entity ID : https://sts.windows.net/434324324342343242323442/ which you have copied from Azure portal.

e. In Login URL textbox, paste the value of Azure AD Single Sign-On Service URL : https://login.microsoftonline.com/434324324342343242323442/saml2 which you have copied from Azure portal.

f. In Logout URL textbox, paste the value of Sign-Out URL which you have copied from Azure portal.

g. Open your Downloaded Azure AD Signing Certificate (Base64 encoded) in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the Identity Provider Certificate (Metadata) textbox.

h. Select Allow Single Sign On.

i. Click Save.

Now Add a New Application Settings to Application and Link the Group you created in the first step to use this New Authentication Profile

Issues

reply address ‘https://au-api.mimecast.com/login/saml’ does not match the reply addresses configured for the application: ‘https://au-api.mimecast.com/sso/’.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If you are using products such as Cofense PhishMe , FriendlyPhishing or Knowbe4 as Phish testing software in your organisation then these test’s will get blocked in Mimecast. These organisations will give you a list of IP Addresses e.g for Cofense PhishMe ( 52.1.96.230, 52.5.119.169, 52.20.155.14 and 52.20.128.29 ) which you will need to whitelist through Mimecast 

Login to the portal and choose Policies then Permitted Senders

Create a new policy with the below options :

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The attached files listed below have been blocked. This is because they contain potentially harmful links. If you believe this is a mistake, please contact your administrator.

This means your Attachement has been blocked in the Sandbox , however you can release this

Login to the Admin Portal of Mimecast

Go to Monitoring, then Attachments

Release the blocked Attachment

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Find the email in Administration – Gateway – Tracking

See : Connection Attempt

Go to Administration – Monitoring – Connections

See : Attempt Greylisted

Go to : Gateway – Policies – Greylisted

Add new Policy to Overide the existing Policy and Whitelist email address or domain

Get Email sent again

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)