Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 5 Configuring the Gateway to Receive Email
5-56
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
verification prior to the SMTP conversation (connection filtering based on DNS
lookups of the sender’s IP address) also helps reduce the amount of junk email
processed through the mail pipeline on the Cisco IronPort appliance.
lookups of the sender’s IP address) also helps reduce the amount of junk email
processed through the mail pipeline on the Cisco IronPort appliance.
Mail from unverified senders is not automatically discarded. Instead, AsyncOS
provides sender verification settings that allow you to determine how the
appliance handles mail from unverified senders: you can configure your Cisco
IronPort appliance to automatically block all mail from unverified senders prior
to the SMTP conversation or throttle unverified senders, for example.
provides sender verification settings that allow you to determine how the
appliance handles mail from unverified senders: you can configure your Cisco
IronPort appliance to automatically block all mail from unverified senders prior
to the SMTP conversation or throttle unverified senders, for example.
The sender verification feature consists of two components: verification of the
connecting host, which occurs prior to the SMTP conversation, and verification
of the domain portion of the envelope sender, which occurs during the SMTP
conversation.
connecting host, which occurs prior to the SMTP conversation, and verification
of the domain portion of the envelope sender, which occurs during the SMTP
conversation.
Sender Verification: Host
Senders can be unverified for different reasons. For example, the DNS server
could be “down” or not responding, or the domain may not exist. Host DNS
verification settings for sender groups allow you to classify unverified senders
prior to the SMTP conversation and include different types of unverified senders
in your various sender groups.
could be “down” or not responding, or the domain may not exist. Host DNS
verification settings for sender groups allow you to classify unverified senders
prior to the SMTP conversation and include different types of unverified senders
in your various sender groups.
The Cisco IronPort appliance attempts to verify the sending domain of the
connecting host via DNS for incoming mail. This verification is performed prior
to the SMTP conversation. The system acquires and verifies the validity of the
remote host’s IP address (that is, the domain) by performing a double DNS lookup.
A double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address
of the connecting host, followed by a forward DNS (A) lookup on the results of
the PTR lookup. The appliance then checks that the results of the A lookup match
the results of the PTR lookup. If the PTR or A lookups fail, or the results do not
match, the system uses only the IP address to match entries in the HAT and the
sender is considered as not verified.
connecting host via DNS for incoming mail. This verification is performed prior
to the SMTP conversation. The system acquires and verifies the validity of the
remote host’s IP address (that is, the domain) by performing a double DNS lookup.
A double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address
of the connecting host, followed by a forward DNS (A) lookup on the results of
the PTR lookup. The appliance then checks that the results of the A lookup match
the results of the PTR lookup. If the PTR or A lookups fail, or the results do not
match, the system uses only the IP address to match entries in the HAT and the
sender is considered as not verified.
Unverified senders are classified into three categories:
•
Connecting host PTR record does not exist in the DNS.
•
Connecting host PTR record lookup fails due to temporary DNS failure.
•
Connecting host reverse DNS lookup (PTR) does not match the forward DNS
lookup (A).
lookup (A).