Cisco Cisco Email Security Appliance C160 Guía Del Usuario
Chapter 5 Configuring the Gateway to Receive Email
5-164
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
A common technique for spammers or other illegitimate senders of mail is to
forge the MAIL FROM information (in the envelope sender) so that mail from
unverified senders that is accepted will be processed. This can lead to problems
as bounce messages sent to the MAIL FROM address are undeliverable. Using
envelope sender verification, you can configure your IronPort appliance to reject
mail with malformed (but not blank) MAIL FROMs.
forge the MAIL FROM information (in the envelope sender) so that mail from
unverified senders that is accepted will be processed. This can lead to problems
as bounce messages sent to the MAIL FROM address are undeliverable. Using
envelope sender verification, you can configure your IronPort appliance to reject
mail with malformed (but not blank) MAIL FROMs.
For each mail flow policy, you can:
•
Enable envelope sender DNS verification.
•
Offer custom SMTP code and response for malformed envelope sender.
Malformed envelope senders are blocked if you have enabled envelope sender
DNS verification.
Malformed envelope senders are blocked if you have enabled envelope sender
DNS verification.
•
Offer custom response for envelope sender domains which do not resolve.
•
Offer custom response for envelope sender domains which do not exist in
DNS.
DNS.
You can use the sender verification exception table to store a list of domains or
addresses from which mail will be automatically allowed or rejected (see
addresses from which mail will be automatically allowed or rejected (see
). The sender verification exception
table can be enabled independently of Envelope Sender verification. So, for
example, you can still reject special addresses or domains specified in the
exception table without enabling envelope sender verification. You can also
always allow mail from internal or test domains, even if they would not otherwise
be verified.
example, you can still reject special addresses or domains specified in the
exception table without enabling envelope sender verification. You can also
always allow mail from internal or test domains, even if they would not otherwise
be verified.
Though most spam is from unverifiable senders, there are reasons why you might
want to accept mail from an unverified sender. For example, not all legitimate
email can be verified through DNS lookups — a temporary DNS server problem
can stop a sender from being verified.
want to accept mail from an unverified sender. For example, not all legitimate
email can be verified through DNS lookups — a temporary DNS server problem
can stop a sender from being verified.
When mail from unverified senders is attempted, the sender verification exception
table and mail flow policy envelope sender DNS verification settings are used to
classify envelope senders during the SMTP conversation. For example, you may
accept and throttle mail from sending domains that are not verified because they
do not exist in DNS. Once that mail is accepted, messages with malformed MAIL
FROMs are rejected with a customizable SMTP code and response. This occurs
during the SMTP conversation.
table and mail flow policy envelope sender DNS verification settings are used to
classify envelope senders during the SMTP conversation. For example, you may
accept and throttle mail from sending domains that are not verified because they
do not exist in DNS. Once that mail is accepted, messages with malformed MAIL
FROMs are rejected with a customizable SMTP code and response. This occurs
during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain
exception table) in the mail flow policy settings for any mail flow policy via the
GUI or the CLI (
exception table) in the mail flow policy settings for any mail flow policy via the
GUI or the CLI (
listenerconfig -> edit -> hostaccess -> <
policy
>
).