How Email Filtering Works
At the filter level, the process tries to match the regular expression you defined in the corresponding field with the appropriate information (if available) from the email. If more than one field is defined, the search is made by logically AND-ing the matches of each particular field. For example, we want to prevent our colleague Smith (his email address is smith@example.com) from receiving any *.zip files. We should define the following filter:
- ‘Receiver’ field should contain this regular expression: ^smith @example.com$
- ‘Extension’ field should contain this regular expression: ^.*.zip$
- Set the action of the filter to BLOCK
When this filter is matched against an email sent to smith@example.com that doesn’t have a zip archive attached to it, the ‘Receiver’ field matches (we mark this with a 1) but the ‘Extension’ filed doesn’t (we mark it with a 0). The overall result for that email matching the filter is: 1 AND 0 = 0, the email did not match the filter. If Smith receives an email with a zip archive attached to it the ‘Extension field’ will match this time, the result of the email matching the filter is: 1 AND 1 = 1. This time, the email matched the filter and it will be blocked.
At macro level, every filter has a priority in the filter chain, and emails are matched in order against each one. Once a match is found the email is subjected to the action described by that filter. It doesn’t matter if there is another filter down the chain that would match the same email.
Because filters are ordered you can create logical policies: closed policies, where a generic filter, placed last, blocks everything while specific ‘ACCEPT’ filters are placed before it; or open policies that would involve creating filters to deny specific cases; there is no need to create an ‘ACCEPT everything filter’ because the default policy for the email filtering chain is to accept everything.