[Gateway] Extended email match (#12544)

cloudflare · Jan 19, 2024 · 935a14e · 935a14e
1 parent 71d9c61
commit 935a14e
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 12 deletions.
diff --git a/content/cloudflare-one/_partials/gateway/_extended-email.md b/content/cloudflare-one/_partials/gateway/_extended-email.md
@@ -0,0 +1,57 @@
+---
+_build:
+  publishResources: false
+  render: never
+  list: never
+---
+
+Extended email addresses (also known as plus addresses) are variants of an existing email address with `+` or `.` modifiers. Many email providers, such as Gmail and Outlook, deliver emails intended for an extended address to its original address. For example, providers will deliver emails sent to `contact+123@example.com` or `con.tact@example.com` to `contact@example.com`.
+
+By default, Gateway will either filter only exact matches or all extended variants depending on the type of policy and action used:
+
+{{<details header="DNS policies">}}
+
+| Action             | Behavior                             |
+| ------------------ | ------------------------------------ |
+| Allow              | Match exact address only             |
+| Block              | Match exact address and all variants |
+| Override           | Match exact address and all variants |
+| Safe Search        | Match exact address and all variants |
+| YouTube Restricted | Match exact address and all variants |
+
+{{</details>}}
+
+{{<details header="Network policies">}}
+
+| Action           | Behavior                             |
+| ---------------- | ------------------------------------ |
+| Allow            | Match exact address only             |
+| Audit SSH        | Match exact address and all variants |
+| Block            | Match exact address and all variants |
+| Network Override | Match exact address only             |
+
+{{</details>}}
+
+{{<details header="HTTP policies">}}
+
+| Action         | Behavior                             |
+| -------------- | ------------------------------------ |
+| Allow          | Match exact address only             |
+| Block          | Match exact address and all variants |
+| Do Not Inspect | Match exact address only             |
+| Do Not Isolate | Match exact address only             |
+| Do Not Scan    | Match exact address only             |
+| Isolate        | Match exact address and all variants |
+
+{{</details>}}
+
+{{<details header="Other policies">}}
+
+| Policy type     | Behavior                 |
+| --------------- | ------------------------ |
+| Egress policy   | Match exact address only |
+| Resolver policy | Match exact address only |
+
+{{</details>}}
+
+To force Gateway to match all email address variants, go to **Settings** > **Network** > **Firewall** and turn on **Match extended email addresses**. This setting applies to all firewall, egress, and resolver policies.
diff --git a/content/cloudflare-one/_partials/gateway/_url-slash.md b/content/cloudflare-one/_partials/gateway/_url-slash.md
@@ -5,6 +5,8 @@ _build:
   list: never
 ---
 
-{{<Aside type="warning">}}
+<div class="special-class" markdown="1">
+
 Gateway ignores trailing forward slashes (`/`) in URLs. For example, `https://example.com` and `https://example.com/` will count as the same URL and may return a duplicate error.
-{{</Aside>}}
+
+</div>
diff --git a/content/cloudflare-one/policies/gateway/identity-selectors.md b/content/cloudflare-one/policies/gateway/identity-selectors.md
@@ -19,6 +19,10 @@ If you add or remove a user from a group in your IdP, Gateway will not detect th
 - Log out from an Access-protected application and log back in.
 - In their WARP client settings, select **Preferences** > **Account** > **Re-Authenticate Session**. This will open a browser window and prompt the user to log in.
 
+### Extended email addresses
+
+{{<render file="gateway/_extended-email.md">}}
+
 ## Identity-based selectors
 
 ### SAML Attributes
@@ -91,8 +95,8 @@ Because IdPs expose user groups in different formats, reference the list below t
 
 If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_:
 
-| Selector       | Value                                 |
-| -------------- | ------------------------------------- |
+| Selector         | Value        |
+| ---------------- | ------------ |
 | User Group Names | `SCIM group` |
 
 ### GitHub
@@ -131,7 +135,7 @@ For a [generic SAML provider](/cloudflare-one/identity/idp-integration/generic-s
 
 | Selector        | Attribute name | Attribute value |
 | --------------- | -------------- | --------------- |
-| SAML Attributes | `department`    | `Marketing`     |
+| SAML Attributes | `department`   | `Marketing`     |
 
 ### Generic OIDC IdP
 

diff --git a/content/cloudflare-one/policies/gateway/lists.md b/content/cloudflare-one/policies/gateway/lists.md
@@ -6,15 +6,9 @@ weight: 13
 
 # Lists
 
-{{<Aside type="note" header="Plan limitations">}}
-Your lists can include up to 1,000 entries for Standard plans and 5,000 for Enterprise plans. An uploaded CSV file must be smaller than 2 MB.
-{{</Aside>}}
-
 With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/policies/gateway/) or [Access policies](/cloudflare-one/policies/access/). This allows you to quickly create rules that match and take actions against several items at once.
 
-Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in an error.
-
-{{<render file="gateway/_url-slash.md">}}
+Before creating a list, make note of the [limitations](#limitations).
 
 {{<render file="gateway/_lists.md">}}
 
@@ -30,3 +24,21 @@ Lists cannot have duplicate entries. Because hostnames are converted to [Punycod
    - Manually add entries to your list.
 
 3. Once you have edited your list, select **Save**.
+
+## Limitations
+
+### List size
+
+Your lists can include up to 1,000 entries for Standard plans and 5,000 for Enterprise plans. An uploaded CSV file must be smaller than 2 MB.
+
+### Duplicate entries
+
+Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in an error.
+
+### URL slashes
+
+{{<render file="gateway/_url-slash.md">}}
+
+### Extended email addresses
+
+{{<render file="gateway/_extended-email.md">}}