Cisco Cisco Email Security Appliance C170 Mode D'Emploi
9-22
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 9 Anti-Spam
Incoming Relays and Directory Harvest Attack Prevention
If a remote host attempts a directory harvest attack by sending messages to the MX or MTA serving as
an incoming realy on your network, the appliance drops the connection from the incoming relay if the
relay is assigned to a sender group with a mail flow policy with Directory Harvest Attack Prevention
(DHAP) enabled. This prevents all messages from the relay, including legitimate messages, from
reaching the Email Security applianc. The appliance does not have the opportunity to recognize the
remote host as the attacker and the MX or MTA that’s acting as the incoming relay continues to receive
mail from the attacking host. To work around this issue and continue receiving messages from the
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
an incoming realy on your network, the appliance drops the connection from the incoming relay if the
relay is assigned to a sender group with a mail flow policy with Directory Harvest Attack Prevention
(DHAP) enabled. This prevents all messages from the relay, including legitimate messages, from
reaching the Email Security applianc. The appliance does not have the opportunity to recognize the
remote host as the attacker and the MX or MTA that’s acting as the incoming relay continues to receive
mail from the attacking host. To work around this issue and continue receiving messages from the
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
IP Addresses
As a general rule, when specifying an IP address (of the machine connecting to the Cisco IronPort
appliance — the incoming relay), be as specific as possible. That said, IP addresses can also be entered
using standard CIDR format or an IP address range. For example, if you have several MTAs at the edge
of your network receiving email, you might want to enter a range of IP addresses to include all of your
MTAs, such as 10.2.3.1/8 or 10.2.3.1-10. You can use IPv4 or IPv6 addresses for the MTAs.
appliance — the incoming relay), be as specific as possible. That said, IP addresses can also be entered
using standard CIDR format or an IP address range. For example, if you have several MTAs at the edge
of your network receiving email, you might want to enter a range of IP addresses to include all of your
MTAs, such as 10.2.3.1/8 or 10.2.3.1-10. You can use IPv4 or IPv6 addresses for the MTAs.
For IPv6 addresses, AsyncOS supports the following formats:
•
2620:101:2004:4202::0-2620:101:2004:4202::ff
•
2620:101:2004:4202::
•
2620:101:2004:4202::23
•
2620:101:2004:4202::/64
Message Headers and Incoming Relays
Custom Header
Use this method to specify a custom header. This is the recommended method. The machine connecting
to the original sender needs to add this custom header. The value of the header is expected to be the IP
address of the external sending machine. For example:
to the original sender needs to add this custom header. The value of the header is expected to be the IP
address of the external sending machine. For example:
SenderIP: 7.8.9.1
X-CustomHeader: 7.8.9.1
When entering a header, you do not need to enter the trailing colon.
If your local MX/MTA can receive mail from a variable number of hops, inserting a custom header is
the only way to enable the Incoming Relays feature. For example, in
the only way to enable the Incoming Relays feature. For example, in
to IP address 10.2.3.5; however, path C has two hops and path D has one. Because the number of hops
can vary in this situation, you must use a custom header in order to have Incoming Relays configured
correctly.
can vary in this situation, you must use a custom header in order to have Incoming Relays configured
correctly.