Posts Tagged ‘mimecast’
Recently had a customer that was getting 15 – 20 minute delays in receiving emails from MailChimp. The same email to services such as Office 365 , Gmail and other email providers came through straight away.
We had whitelisted Mailchimps IP’s per below from Greylisting and Spam to no avail. The Message tracking proved that the message wasn’t hitting the Administration console for the 15 Minutes delay
We lodged a Mimecast support ticket and got this escalated to Level 2 and waited a week for a response. In the end a retry of the issue with the technician came through straight away which means there must have been a block somewhere in Mimecast
Many internal companies use Newsletter services such as Mailchimp to email out internal newsletters. The From Address of this is usually an internal email address which means it will get rejected by the anti spoofing policy
In Mimecast Administration Panel go to :
Administration -> Gateway -> Policies -> Anti Spoofing SPF based Bypass
- Add the following Policy, this will only whitelist IP’s in your SPF Record, so putting servers.mcsv.net will not work , you will also have to put “ip4:184.108.40.206/20 ip4:220.127.116.11/18 ip4:18.104.22.168/16” in your SPF record. If your SPF is over 255 characters : try option 2
Administration -> Gateway -> Policies -> Anti Spoofing
Add the policy below , you can get a list of IP’s Mailchimp user here
Great a Computer Configuration Group Policy Object for Windows Firewall per below
Whitelist the below files Inbound and Outbound
C:\program files\mimecast\mimecast windows service\msddsk.exe ( 32 bit )
C:\program files (x86)\mimecast\mimecast windows service\msddsk.exe ( 64 bit )
Recently a email came in from a third party which wasn’t blocked by the Impersonation Protection
Administration > Gateway > Policies > Impersonation Protection Definitions
Default Impersonation Protection for Mimecast
- Similar Internal Domain (Similarity Distance 2 )
- Newly Observed Domain ( Checked )
- Internal User Name ( Checked )
- Reply-to Address Mismatch ( Uncheck )
- Targeted Threat Dictionary ( Checked )
- Mimecast Threat Dictionary ( Checked )
- Number of Hits : 2
- Ignore Signed Messages ( Unchecked )
For executives, particularly those who are disclosed on the company website I recommend implementing a hit score of 1 on emails with their name as a display name.
Exec Impersonation Protection
- Similar Internal Domain ( Checked )
- Newly Observed Domain ( Checked )
- Internal User name ( Checked )
- Number of Hits: 1
Administration > Gateway > Policies > Impersonation Protection > New Policy
Selection Option: Choose the new definition that was just created
Addresses based on: Both
Applies from: Header Display Name
Specifically: INSERT NAME
Applies To: Internal Addresses
Save and Exit
I would advise that display name checks are in place all high profile targets, particularly those disclosed on the company website or other public sources. You also may want to consider alternative spellings. An individual policy is required for each display name.
Recently had a customer stop being able to send items to Mimecast with the following
554 Email rejected due to security policies - https://community.mimecast.com/docs/DOC-1369#554
This was happening to Multiple emails and Mimecast Logs showed : Bounce – Message content not accepted
Also users trying to email the customer by replying to their email would get the same bounce back
So something generic in the content was causing this
Generic would be email signatures and Links in email signatures are usually the cause, removing one of the domains in the email signature fixed this , we lodged a Support case with Mimecast who removed this domain from their blocklist
The actual cause was the company was sending mass emails with using something like mailchimp so it did not have an unsubscribe button so domains in the email were blocked in third party lists like : http://lookup.uribl.com/
Create a Distribution Group in Office 365, this will be to Add the users to you want enable SSO on , add Users
Make sure Mimecast is Synced with Office365 AD – Services -> Directory Synchronization ( Connect to 365 )
Perform manual sync in Mimecast to download user and group
On Azure – Got o Azure Active Directory, All Application find: Mimecast Personal Portal
Next Single Sign-On
Sign on URL : https://au-api.mimecast.com/login/saml
Identifier : https://au-api.mimecast.com/sso/%Customer ID% per Mimecase User Guide
Reply URL : https://au-api.mimecast.com/login/saml
User Identifier : user.mail
Azure AD Properterties : User assignment required No
Configuring Mimecast-Personal-Portal for single sign-on
1.In a different web browser window, log into your Mimecast Personal Portal as an administrator.
2.Go to Services > Applications.
3.Click Authentication Profiles.
4.Click New Authentication Profile.
5.In the Authentication Profile section, perform the following steps:
a. In the Description textbox, type a name for your configuration.
b. Select Enforce SAML Authentication for Mimecast Personal
c. As Provider, select Azure Active Directory.
d. In Issuer URL textbox, paste the value of Azure AD SAML Entity ID : https://sts.windows.net/434324324342343242323442/ which you have copied from Azure portal.
e. In Login URL textbox, paste the value of Azure AD Single Sign-On Service URL : https://login.microsoftonline.com/434324324342343242323442/saml2 which you have copied from Azure portal.
f. In Logout URL textbox, paste the value of Sign-Out URL which you have copied from Azure portal.
g. Open your Downloaded Azure AD Signing Certificate (Base64 encoded) in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the Identity Provider Certificate (Metadata) textbox.
h. Select Allow Single Sign On.
i. Click Save.
Now Add a New Application Settings to Application and Link the Group you created in the first step to use this New Authentication Profile
reply address ‘https://au-api.mimecast.com/login/saml’ does not match the reply addresses configured for the application: ‘https://au-api.mimecast.com/sso/’.
If you are using products such as Cofense PhishMe , FriendlyPhishing or Knowbe4 as Phish testing software in your organisation then these test’s will get blocked in Mimecast. These organisations will give you a list of IP Addresses e.g for Cofense PhishMe ( 22.214.171.124, 126.96.36.199, 188.8.131.52 and 184.108.40.206 ) which you will need to whitelist through Mimecast
Login to the portal and choose Policies then Permitted Senders
Create a new policy with the below options :
The attached files listed below have been blocked. This is because they contain potentially harmful links. If you believe this is a mistake, please contact your administrator.
This means your Attachement has been blocked in the Sandbox , however you can release this
Login to the Admin Portal of Mimecast
Go to Monitoring, then Attachments
Release the blocked Attachment