Cisco Cisco Email Security Appliance C160 Betriebsanweisung
4-6
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 4 Understanding the Email Pipeline
LDAP Recipient Acceptance
You can use your existing LDAP infrastructure to define how the recipient email address of incoming
messages (on a public listener) should be handled during the SMTP conversation or within the
workqueue. See “Accept Queries” in the “Customizing Listeners” chapter of the Cisco IronPort AsyncOS
for Email Advanced Configuration Guide. This allows the Cisco IronPort appliance to combat directory
harvest attacks (DHAP) in a unique way: the system accepts the message and performs the LDAP
acceptance validation within the SMTP conversation or the work queue. If the recipient is not found in
the LDAP directory, you can configure the system to perform a delayed bounce or drop the message
entirely.
messages (on a public listener) should be handled during the SMTP conversation or within the
workqueue. See “Accept Queries” in the “Customizing Listeners” chapter of the Cisco IronPort AsyncOS
for Email Advanced Configuration Guide. This allows the Cisco IronPort appliance to combat directory
harvest attacks (DHAP) in a unique way: the system accepts the message and performs the LDAP
acceptance validation within the SMTP conversation or the work queue. If the recipient is not found in
the LDAP directory, you can configure the system to perform a delayed bounce or drop the message
entirely.
For more information, see the “LDAP Queries” chapter in the Cisco IronPort AsyncOS for Email
Advanced Configuration Guide.
Advanced Configuration Guide.
SMTP Call-Ahead Recipient Validation
When you configure your Email Security appliance for SMTP call-ahead recipient validation, the Email
Security appliance suspends the SMTP conversation with the sending MTA while it “calls ahead” to the
SMTP server to verify the recipient. When the Cisco IronPort appliance queries the SMTP server, it
returns the SMTP server’s response to the Email Security appliance. The Email Security appliance
resumes the SMTP conversation and sends a response to the sending MTA, allowing the conversation to
continue or dropping the connection based on the SMTP server response (and settings you configure in
the SMTP Call-Ahead profile).
Security appliance suspends the SMTP conversation with the sending MTA while it “calls ahead” to the
SMTP server to verify the recipient. When the Cisco IronPort appliance queries the SMTP server, it
returns the SMTP server’s response to the Email Security appliance. The Email Security appliance
resumes the SMTP conversation and sends a response to the sending MTA, allowing the conversation to
continue or dropping the connection based on the SMTP server response (and settings you configure in
the SMTP Call-Ahead profile).
For more information, see the “Validating Recipients Using an SMTP Server” chapter in the Cisco
IronPort AsyncOS for Email Advanced Configuration Guide.
IronPort AsyncOS for Email Advanced Configuration Guide.
Work Queue / Routing
The Work Queue is where the received message is processed before moving to the delivery phase.
Processing includes masquerading, routing, filtering, safelist/blocklist scanning, anti-spam and
anti-virus scanning, Outbreak Filters, and quarantining.
Processing includes masquerading, routing, filtering, safelist/blocklist scanning, anti-spam and
anti-virus scanning, Outbreak Filters, and quarantining.
Note
Data loss prevention (DLP) scanning is only available for outgoing messages. For information on where
DLP message scanning occurs in the Work Queue, see
DLP message scanning occurs in the Work Queue, see
.
Email Pipeline and Security Services
Note, as a general rule, changes to security services (anti-spam scanning, anti-virus scanning, and
Outbreak Filters) do not affect messages already in the work queue. As an example:
Outbreak Filters) do not affect messages already in the work queue. As an example:
If a message bypasses anti-virus scanning when it first enters the pipeline because of any of these
reasons:
reasons:
•
anti-virus scanning was not enabled globally for the appliance, or
•
the HAT policy was to skip anti-virus scanning, or
•
there was a message filter that caused the message to bypass anti-virus scanning,