All Collections
Integration Guide
Cisco Secure Email CLI
Cisco Secure Email CLI
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Cisco Secure Email

Cisco Secure Email Appliance is a virtual, all-in-one appliance that provides protection against spam, malware, viruses, and other inbound and outbound email threats and annoyances.

Together, SIRP and Cisco Secure Email deliver advanced email security. SIRP’s integration with Cisco Secure Email allows security teams to execute response actions right from SIRP.

Supported Actions

SIRP’s Cisco Secure Email integration app allows you to execute the following actions:

S.no

Action

1

Push Domain to Blocklist

2

Push IP to Blocklist

3

Remove Domain from Blocklist

4

Remove IP from Blocklist

5

Push Domain To Dictionary

6

Push IP To Dictionary

7

Push Hash To Dictionary

8

Push Email To Dictionary

9

Remove Domain From Dictionary

10

Remove Ip From Dictionary

11

Remove Hash From Dictionary

12

Remove Email From Dictionary

Enable and Configure Cisco Secure Email

Network Requirments:

  • Port 22 (SSH Protocol)

Create a new user on the Cisco Secure Email

  1. Open your Cisco SE instance.

  2. In the System Administration, go to Users.

  3. Click on Add User

  4. Enter User Name, Full Name, and assign a Operator role (at minimum) to this new user

  5. Click Submit

  6. Remember, to Commit changes at the end.

Enable the Cisco Secure Email app in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named Secure Email CLI.

  3. Enable the Email Security app by clicking on the toggle button under the Status Column.

Once you enable the App, click the configure option to add Cisco ESA login credentials.

Add the following details and click Save:

  1. Configuration Name: <Name to identify confiugration>

  2. Host: <IP or domain of Secure Email instance>

  3. Username: <User ID from Cisco Secure Email>

  4. Password: <Password of the newly created user in Cisco Secure Email>

  5. Port: <Port defined to SSH into Secure Email>

  6. Cluster: true or false

  7. IP-Dictionary: <ID of respective dictionary>

  8. Domain-Dictionary: <ID of respective dictionary>

  9. Hash-Dictionary:<ID of respective dictionary>

  10. Email-Dictionary:<ID of respective dictionary>

Integration in Action

Both IPs and Domains can be pushed from SIRP into Secure Email's HAT (Host Access Table).

The pushed entry can be found in Mail Policies > HAT Overview > BLOCKED_LIST

The following snippet shows you the steps taken by the integration script to block an IP address.

myesa.local> listenerconfig
[]> edit
Enter the name or number of the listener you wish to edit.
[]> 1
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- CERTIFICATE - Choose the certificate.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- RCPTACCESS - Modify the Recipient Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this
listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
- LDAPACCEPT - Configure an LDAP query to determine whether a recipient address
should be accepted or bounced/dropped.
- LDAPGROUP - Configure an LDAP query to determine whether a sender or recipient
is in a specified group.
[]> hostaccess

Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- MOVE - Move an entry.
- DEFAULT - Set the defaults.
- PRINT - Display the table.
- IMPORT - Import a table from a file.
- EXPORT - Export the table to a file.
- RESET - Remove senders and set policies to system default.
[]> edit

1. Edit Sender Group
2. Edit Policy
[1]> 1

Currently configured HAT sender groups:
1. ALLOWSPOOF
2. MY_INBOUND_RELAY
3. WHITELIST (My trusted senders have no anti-spam scanning or rate limiting)
4. BLACKLIST (Spammers are rejected)
5. SUSPECTLIST (Suspicious senders are throttled)
6. UNKNOWNLIST (Reviewed but undecided, continue normal acceptance)
7. (no name, first host = ALL) (Everyone else)
Enter the sender group number or name you wish to edit.
[]> 4

Choose the operation you want to perform:
- NEW - Add a new host.
- DELETE - Remove a host.
- POLICY - Change the policy settings and options.
- PRINT - Display the current definition.
- RENAME - Rename this sender group.
[]> new

ame such as crm.example.com
- a partial hostname such as .example.com
- a range of SenderBase Reputation Scores in the form SBRS[7.5:10.0]
- a SenderBase Network Owner ID in the form SBO:12345
- a remote blacklist query in the form dnslist[query.blacklist.example]
Separate multiple entries with commas.
[]> badhost.example.org, 10.1.1.10

Integration in Action through Dictionaries

IPs, Domains, Hashes, and Email Addresses can be pushed into Secure Email's dictionaries, which are in turn called into its Incoming and Outgoing Mail Policies

The pushed entry can be found in Mail Policies > Dictionaries > IP

Why opt for CLI-based integration:

Currently, there is a limitation in the AsyncOS API provided by Cisco. It can only block domains for one recipient or sender at a time. Due to this limitation, we rolled out CLI-based integration which blocks domains and IPs for the entire organization by pushing the values into the HAT (Host Access Table). Additionally, we rolled another set of actions that push IOCs into their designated dictionaries

The following snippet shows you the steps taken by the integration script to push an IP into its dictionary in Secure Email 

esa.sirp.com> dictionaryconfig

Currently configured content dictionaries:
1. Domain
2. Emails
3. Hashes
4. IP

Choose the operation you want to perform:
- NEW - Create a new content dictionary.
- EDIT - Modify a content dictionary.
- DELETE - Remove a content dictionary.
- DICTIONARYLIMITS - Configure maximum number of content dictionaries that you can create in your email gateway.
- RENAME - Change the name of a content dictionary.
[]> edit

Enter the number of the dictionary you want to edit:
1. Domain
2. Emails
3. Hashes
4. IP
[]> 4

Choose the operation you want to perform on dictionary 'IP':
- NEW - Create new entries in this dictionary.
- IMPORT - Replace all of the words in this dictionary.
- EXPORT - Export the words in this dictionary.
- DELETE - Remove an entry in this dictionary.
- PRINT - List the entries in this dictionary.
- SETTINGS - Change settings for this dictionary.
[]> new

Enter new words or regular expressions.  Separate multiple entries with line breaks.  Optionally define weights by separating the word or expression with a comma and number.  Enter a
blank line to finish.
65.52.198.174

esa.sirp.com> commit

Please enter some comments describing your changes:
[]>

Do you want to save the current configuration for rollback? [Y]> n

Changes committed: Thu Dec 15 14:28:56 2022 PKT
Did this answer your question?