Cisco Cisco Email Security Appliance C160 Mode D'Emploi
7-30
Cisco AsyncOS 9.0 for Email User Guide
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)
Verifying Senders
Though most spam is from unverifiable senders, there are reasons why you might want to accept mail
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
When mail from unverified senders is attempted, the sender verification exception table and mail flow
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain exception table) in the mail flow
policy settings for any mail flow policy via the GUI or the CLI (
policy settings for any mail flow policy via the GUI or the CLI (
listenerconfig -> edit ->
hostaccess -> <
policy
>
).
Related Topics
•
•
•
Partial Domains, Default Domains, and Malformed MAIL FROMs
If you enable envelope sender verification or disable allowing partial domains in SMTP Address Parsing
options for a listener (see the SMTP Address Parsing Options section in the “Configuring the Gateway
to Receive Email” chapter), the default domain settings for that listener will no longer be used.
options for a listener (see the SMTP Address Parsing Options section in the “Configuring the Gateway
to Receive Email” chapter), the default domain settings for that listener will no longer be used.
These features are mutually exclusive.
Custom SMTP Code and Response
You can specify the SMTP code and response message for messages with malformed envelope senders,
for envelope senders which do not exist in DNS, and for envelope senders which do not resolve via DNS
queries (DNS server might be down, etc.).
for envelope senders which do not exist in DNS, and for envelope senders which do not resolve via DNS
queries (DNS server might be down, etc.).
In the SMTP response, you can include a variable,
$EnvelopeSender
, which is expanded to the value of
the envelope sender when the custom response is sent.
While typically a “Domain does not exist” result is permanent, it is possible for this to be a transient
condition. To handle such cases, “conservative” users may wish to change the error code from the default
5XX to a 4XX code.
condition. To handle such cases, “conservative” users may wish to change the error code from the default
5XX to a 4XX code.
Sender Verification Exception Table
The sender verification exception table is a list of domains or email addresses that will either be
automatically allowed or rejected during the SMTP conversation. You can also specify an optional
SMTP code and reject response for rejected domains. There is only one sender verification exception
table per appliance and it is enabled per mail flow policy.
automatically allowed or rejected during the SMTP conversation. You can also specify an optional
SMTP code and reject response for rejected domains. There is only one sender verification exception
table per appliance and it is enabled per mail flow policy.
The sender verification exception table can be used to list obviously fake but correctly formatted
domains or email addresses from which you want to reject mail. For example, the correctly formatted
MAIL FROM:
domains or email addresses from which you want to reject mail. For example, the correctly formatted
MAIL FROM:
pres@whitehouse.gov
could be listed in the sender verification exception table and set
to be automatically rejected. You can also list domains that you want to automatically allow, such as
internal or test domains. This is similar to envelope recipient (SMTP RCPT TO command) processing
which occurs in the Recipient Access Table (RAT).
internal or test domains. This is similar to envelope recipient (SMTP RCPT TO command) processing
which occurs in the Recipient Access Table (RAT).