Don’t ask me why this is. BUT we have a rule that blocks webmail by category for anyone if the previous rule does not allow them to webmail category sites based on being in a special user group. Note that both these rules apply to the webmail category and ANY protocol. Yet, a lot of HTTPS webmail traffic gets through. So I added one more rule that blocks webmail https specifically. Strangely it works much better at stopping almost all webmail traffic now. Encrypted or not. Even though the category webmial protocol any rule should have been good enough.