SMTP call-ahead recipient validation allows you to perform recipient validation by querying an external
SMTP server prior to accepting incoming mail for the recipient. SMTP call-ahead recipient validation is
useful in cases where you might want to validate users but cannot use LDAP Accept or the Recipient
Access Table (RAT) for recipient validation. For example, a customer hosts mail for a large number of
different mailboxes, each using a separate domain. Because of the LDAP infrastructure, there is no way
to query the infrastructure to validate each of the customers in their separate domains. In this case, the
customer could set up SMTP call-ahead recipient validation to allow the Email Security appliance to
query the SMTP server and validate the recipient before continuing the SMTP conversation.

SMTP call-ahead recipient validation allows the Email Security appliance to save a significant amount
of processing on messages for invalid recipients. In normal processing, a message for an invalid recipient
must be processed through the work queue phases of the email pipeline before it can be dropped. Using
the SMTP call-ahead recipient validation feature, an invalid message can be dropped or bounced during
the incoming/receiving part of the email pipeline without requiring additional processing.

When you configure your Email Security appliance for SMTP call-ahead recipient validation, the Email
Security appliance suspends the SMTP conversation with the sending MTA while it “calls ahead” to the
SMTP server to verify the recipient. When the Cisco IronPort appliance queries the SMTP server, it
returns the SMTP server’s response to the Email Security appliance, and depending on the settings you
have configured, you can accept the mail or drop the connection with a code and custom response.

Figure 4-1

shows the basic workflow of the SMTP call-head validation conversation.