Cisco Cisco Email Security Appliance C160 Mode D'Emploi
7-28
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)
Verifying Senders
A common technique for spammers or other illegitimate senders of mail is to forge the MAIL FROM
information (in the envelope sender) so that mail from unverified senders that is accepted will be
processed. This can lead to problems as bounce messages sent to the MAIL FROM address are
undeliverable. Using envelope sender verification, you can configure your Cisco appliance to reject mail
with malformed (but not blank) MAIL FROMs.
information (in the envelope sender) so that mail from unverified senders that is accepted will be
processed. This can lead to problems as bounce messages sent to the MAIL FROM address are
undeliverable. Using envelope sender verification, you can configure your Cisco appliance to reject mail
with malformed (but not blank) MAIL FROMs.
For each mail flow policy, you can:
•
Enable envelope sender DNS verification.
•
Offer custom SMTP code and response for malformed envelope sender. Malformed envelope
senders are blocked if you have enabled envelope sender DNS verification.
senders are blocked if you have enabled envelope sender DNS verification.
•
Offer custom response for envelope sender domains which do not resolve.
•
Offer custom response for envelope sender domains which do not exist in DNS.
You can use the sender verification exception table to store a list of domains or addresses from which
mail will be automatically allowed or rejected (see
mail will be automatically allowed or rejected (see
). The
sender verification exception table can be enabled independently of Envelope Sender verification. So,
for example, you can still reject special addresses or domains specified in the exception table without
enabling envelope sender verification. You can also always allow mail from internal or test domains,
even if they would not otherwise be verified.
for example, you can still reject special addresses or domains specified in the exception table without
enabling envelope sender verification. You can also always allow mail from internal or test domains,
even if they would not otherwise be verified.
Though most spam is from unverifiable senders, there are reasons why you might want to accept mail
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
When mail from unverified senders is attempted, the sender verification exception table and mail flow
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain exception table) in the mail flow
policy settings for any mail flow policy via the GUI or the CLI (
policy settings for any mail flow policy via the GUI or the CLI (
listenerconfig -> edit ->
hostaccess -> <
policy
>
).
Partial Domains, Default Domains, and Malformed MAIL FROMs
If you enable envelope sender verification or disable allowing partial domains in SMTP Address Parsing
options for a listener (see the SMTP Address Parsing Options section in “Customizing Listeners” in the
Cisco IronPort AsyncOS for Email Advanced Configuration Guide), the default domain settings for that
listener will no longer be used.
options for a listener (see the SMTP Address Parsing Options section in “Customizing Listeners” in the
Cisco IronPort AsyncOS for Email Advanced Configuration Guide), the default domain settings for that
listener will no longer be used.
These features are mutually exclusive.
Custom SMTP Code and Response
You can specify the SMTP code and response message for messages with malformed envelope senders,
for envelope senders which do not exist in DNS, and for envelope senders which do not resolve via DNS
queries (DNS server might be down, etc.).
for envelope senders which do not exist in DNS, and for envelope senders which do not resolve via DNS
queries (DNS server might be down, etc.).
In the SMTP response, you can include a variable,
$EnvelopeSender
, which is expanded to the value of
the envelope sender when the custom response is sent.
While typically a “Domain does not exist” result is permanent, it is possible for this to be a transient
condition. To handle such cases, “conservative” users may wish to change the error code from the default
5XX to a 4XX code.
condition. To handle such cases, “conservative” users may wish to change the error code from the default
5XX to a 4XX code.