Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
5-57
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter 5 Configuring the Gateway to Receive Email
Using the sender group “Connecting Host DNS Verification” settings, you can
specify a behavior for unverified senders (see
specify a behavior for unverified senders (see
).
You can enable host DNS verification in the sender group settings for any sender
group; however, keep in mind that adding host DNS verification settings to a
sender group means including unverified senders in that group. That means that
spam and other unwanted mail will be included. Therefore, you should only
enable these settings on sender groups that are used to reject or throttle senders.
Enabling host DNS verification on the WHITELIST sender group, for example,
would mean that mail from unverified senders would receive the same treatment
as mail from your trusted senders in your WHITELIST (including bypassing
anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow
policy is configured).
group; however, keep in mind that adding host DNS verification settings to a
sender group means including unverified senders in that group. That means that
spam and other unwanted mail will be included. Therefore, you should only
enable these settings on sender groups that are used to reject or throttle senders.
Enabling host DNS verification on the WHITELIST sender group, for example,
would mean that mail from unverified senders would receive the same treatment
as mail from your trusted senders in your WHITELIST (including bypassing
anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow
policy is configured).
Sender Verification: Envelope Sender
With envelope sender verification, the domain portion of the envelope sender is
DNS verified. (Does the envelope sender domain resolve? Is there an A or MX
record in DNS for the envelope sender domain?) A domain does not resolve if an
attempt to look it up in the DNS encounters a temporary error condition such as a
timeout or DNS server failure. On the other hand, a domain does not exist if an
attempt to look it up returns a definitive “domain does not exist” status. This
verification takes place during the SMTP conversation whereas host DNS
verification occurs before the conversation begins — it applies to the IP address
of connecting SMTP server.
DNS verified. (Does the envelope sender domain resolve? Is there an A or MX
record in DNS for the envelope sender domain?) A domain does not resolve if an
attempt to look it up in the DNS encounters a temporary error condition such as a
timeout or DNS server failure. On the other hand, a domain does not exist if an
attempt to look it up returns a definitive “domain does not exist” status. This
verification takes place during the SMTP conversation whereas host DNS
verification occurs before the conversation begins — it applies to the IP address
of connecting SMTP server.
In more detail: AsyncOS performs an MX record query for the domain of the
sender address. AsyncOS then performs an A record lookup based on the result of
the MX record lookup. If the DNS server returns “NXDOMAIN” (there is no
record for this domain), AsyncOS treats that domain as non-existent. This falls
into the category of “Envelope Senders whose domain does not exist.”
NXDOMAIN can mean that the root name servers are not providing any
authoritative name servers for this domain.
sender address. AsyncOS then performs an A record lookup based on the result of
the MX record lookup. If the DNS server returns “NXDOMAIN” (there is no
record for this domain), AsyncOS treats that domain as non-existent. This falls
into the category of “Envelope Senders whose domain does not exist.”
NXDOMAIN can mean that the root name servers are not providing any
authoritative name servers for this domain.
However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope
Senders whose domain does not resolve.” SERVFAIL means that the domain does
exist but DNS is having transient problems looking up the record.
Senders whose domain does not resolve.” SERVFAIL means that the domain does
exist but DNS is having transient problems looking up the record.