Cisco Cisco Email Security Appliance X1070 User Guide
3-55
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Figure 3-23
Enabling SMTP Authentication on a Mail Flow Policy
SMTP Authentication and HAT Policy Settings
Because senders are grouped into the appropriate sender group before the SMTP
Authentication negotiation begins, Host Access Table (HAT) settings, are not
affected. When a remote mail host connects, the appliance first determines which
sender group applies and imposes the Mail Policy for that sender group. For
example, if a remote MTA “suspicious.com” is in your SUSPECTLIST sender
group, the THROTTLE policy will be applied, regardless of the results of
“suspicious.com’s” SMTPAUTH negotiation.
Authentication negotiation begins, Host Access Table (HAT) settings, are not
affected. When a remote mail host connects, the appliance first determines which
sender group applies and imposes the Mail Policy for that sender group. For
example, if a remote MTA “suspicious.com” is in your SUSPECTLIST sender
group, the THROTTLE policy will be applied, regardless of the results of
“suspicious.com’s” SMTPAUTH negotiation.
However, senders that do authenticate using SMTPAUTH are treated differently
than “normal” senders. The connection behavior for successful SMTPAUTH
sessions changes to “RELAY,” effectively bypassing the Recipient Access Table
(RAT) and LDAPACCEPT. This allows the sender to relay messages through the
IronPort appliance. As stated, any Rate Limiting or throttling that applies will
remain in effect.
than “normal” senders. The connection behavior for successful SMTPAUTH
sessions changes to “RELAY,” effectively bypassing the Recipient Access Table
(RAT) and LDAPACCEPT. This allows the sender to relay messages through the
IronPort appliance. As stated, any Rate Limiting or throttling that applies will
remain in effect.
HAT Delayed Rejection
When HAT Delayed Rejection is configured, connections that would get dropped
based on the HAT Sender Group and Mail Flow Policy configuration can still
authenticate successfully and get the RELAY mail flow policy granted.
based on the HAT Sender Group and Mail Flow Policy configuration can still
authenticate successfully and get the RELAY mail flow policy granted.
You can configure delayed rejection using the
listenerconfig --> setup
CLI
command. This behavior is disabled by default.
Number
Description
1.
The SMTP Authentication field provides listener-level control
for SMTP authentication. If you select “No,” authentication will
not be enabled on the listener, regardless of any other SMTP
authentication settings you configure.
for SMTP authentication. If you select “No,” authentication will
not be enabled on the listener, regardless of any other SMTP
authentication settings you configure.
2.
If “Required” is selected in the second prompt (SMTP
Authentication:), no AUTH keyword will be issued until TLS is
negotiated (after the client issues a second EHLO command).
Authentication:), no AUTH keyword will be issued until TLS is
negotiated (after the client issues a second EHLO command).
2
1