I am a big fan of Mimecast’s Email security product, when configured correctly it does a fantastic job. However, from time to time I have found the need to hold emails from a domain or specific address.
The most common reason I have found to do this is when a known supplier of contact has had a security issue, and mails are potentially coming from their account or domain that they did not knowingly send.
In these situations, it is good to have the option available and pre-prepared to hold emails for manual review and release.
Below I will detail a method for holding emails for review from either an entire domain or a specific sender.
- Creating a Content Definition
- Creating a Content Examination Policy
- How to Find, Review and Release Emails
First, we will need to create a Content Definition.to match and hold any email for review. After that we will create Content Examination policy to define the scope of what the definition will apply to.
Creating a Content Definition
- Logon to your Mimecast Admin Console
- Navigate to Administration => Gateway => Policies
- Hover over the Definitions drop-down and select Content Definitions
- Open an existing folder or create a new one using the plus on the root folder icon.
- Click New Content Definition
- Create a definition with the following settings
- Description: Hold All Emails
- Activation Score: 1
- Word/ Phrase Match List: *
- Scan Subject Line: Selected
- Scan Message Body: Selected
- Enable Inbound and Outbound Check: Selected
- Policy Action: Hold for Review
- Hold Type: if this is in response to a security issue, I like to set this to Administrator, but you could set to User if you are happy with you r user awareness training
- Notification Groups: Set as required, I like to just notify the intended internal recipient, if there were expecting the message, they can contact a Mimecast administrator to review and release.
- Save and Exit
Creating a Content Examination Policy
Now we need to create a policy to define the scope of our new definition.
In this example I will hold all emails for review from the domain test.com to any internal address. But you could change the “Applies From” option to be an Individual Email Address rather than a whole domain. Or change the Applies to only hold emails to a specific person.
- Navigate to Gateway => Policies => Content Examination
- Click New Policy and create a policy with the following settings.
- Policy Narrative: Provide a name I like to include a ticket/change reference number
- Select Content Definition: Select the new Definition created “Hold All Emails”
- Addresses Based On: Both
- Applies From: Email Domain
- Specifically: test.com Change as required
- Applies To: Internal Addresses
- Policy Override: Selected
- Save and Exit
How to Find, Review and Release Emails
With the above policy in place all emails matching the scope of the policy will be held for review. If you set the Hold Type to administrator as I did in this example, a Mimecast administrator will need to manually review and release any emails.
Below is how to find and release them after review.
- Navigate to Message Center => Held Messages
- Click Held Queue
- Search for the message using the from, to pr subject
- Tick the required message(s) and click Release