Since there seems to be much confusion about how these two features work in the MEG, I figured I would devote some time to discussing them today.  The features are mostly unrelated, although they may seem to be related.  In order to best cover them, I'll discuss each in turn and then how they interact.


Action Priority



Customers frequently call in not understanding exactly how action priority works.  Thus, we'll discuss this first.  In the above image, I have captured the additional actions section from the anti-spam settings in the MEG appliance.  When the MEG is working on scanning a message within a policy, the MEG runs all the various tools present in the box.  As each tool decides what to do, the MEG builds up a list of each tool and the actions it recommends.  It gathers the Primary actions and the Secondary actions into separate lists.


Once the scanning is complete, the MEG then resolves the actions to be taken.  First it checks the primary actions to be taken.  In the above image, the primary action is listed in the pull-down box.  In this example, the primary action is to "Accept and then drop the data (Block)".   Other primary actions would be things like "Allow Through", "Reject, Close, and Deny" or "Deny Connection" (these two are the same thing), "Replace the content with an alert", etc.  As you look at these actions, it is important to understand that priority goes from Deny Connection down to Allow Through.  Although the product guide discusses the order of the actions in more detail, a good rule of thumb is that the higher the option appears in the list in the drop-down box, the higher the priority.  A Deny Connection action will trump all other actions, whereas an Allow Through action will be trumped by all other actions.


After the MEG has chosen the highest-priority primary action, it then builds a list of all the secondary actions which have been selected.  Unlike the primary actions, it doesn't just pick one.  In this case, it does them all.  This means that if three different tools all hit on a message with one choosing to Deny Connection, one choosing to Allow through but (as a secondary action) send a notification to someone, and the third to Accept and drop the data and (as a secondary action) quarantine the original message, the MEG is going to Reject the message with a 550 message, immediately close the connection, add the source IP to the denied connections list, send a notification to someone, and quarantine the original message.  At this time, there is no way to set up a secondary action which tells the MEG to stop processing the message (or stop processing secondary actions) and just be done with the message.


Maximum Policies per Email




The MEG software has a setting in the protocol settings for SMTP that will allow an admin to define the maximum number of policies which may be applied per message.  This is an oft-misunderstood setting, so we'll set the record straight here as to exactly what it does and how it can be used.


The first thing to understand is that the MEG is designed to split messages automatically.  Any time a message is processed, it goes through the list of policies defined under Email Policies with each new piece of data it gathers about the message.  Admins can design policies to apply to users or groups of users (whether using LDAP or not).  As an example, let's say we have two policies (other than the default) on our MEG appliance with one defined as Recipient LDAP group is Executives and the other defined as Recipient LDAP group is HR.  A message comes into our MEG with three recipients; one recipient is a member of HR, one is an executive (and thus in the Executives LDAP group), and the third is just a general user.  When the MEG receives the RCPT TO line with the executive's email address on it, it looks at the policies and decides that the Executives policy needs to apply.  It then receives the RCPT TO line with the HR user's email on it, and splits the message so that now one copy of the message will go through the Executives policy and one will go through the HR policy.  Finally it receives the third RCPT TO line with the general user's email address and splits the message a third time, this time applying the default policy since no other policy applies.  If we had the same example but the Maximum number of policies per email setting shown above were set to 2, when it got the third recipient which fit neither of the two earlier policies, it would revert the message entirely to the Default policy and the message wouldn't be split.


How do they combine?


In short, they don't. Yes, actions do have priorities.  Yes, there's a maximum number of policies per email.  Think of email policies as the rows on the Policies page.  Each policy has multiple features, each of which proposes one or more actions.  The maximum policies per email decides the maximum number of rows which can apply to a message.  The action priority determines which primary actions take effect within one policy.


I hope this helps explain how the MEG appliance works and clear up some of the confusion here.  If you have any questions about this, please feel free to comment here or in the forums.