Cisco Cisco Email Security Appliance C160 Mode D'Emploi
5-41
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 5 Configuring the Gateway to Receive Email
Sender Verification: Host
Senders can be unverified for different reasons. For example, the DNS server could be “down” or not
responding, or the domain may not exist. Host DNS verification settings for sender groups allow you to
classify unverified senders prior to the SMTP conversation and include different types of unverified
senders in your various sender groups.
responding, or the domain may not exist. Host DNS verification settings for sender groups allow you to
classify unverified senders prior to the SMTP conversation and include different types of unverified
senders in your various sender groups.
The Cisco IronPort appliance attempts to verify the sending domain of the connecting host via DNS for
incoming mail. This verification is performed prior to the SMTP conversation. The system acquires and
verifies the validity of the remote host’s IP address (that is, the domain) by performing a double DNS
lookup. A double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address of the
connecting host, followed by a forward DNS (A) lookup on the results of the PTR lookup. The appliance
then checks that the results of the A lookup match the results of the PTR lookup. If the PTR or A lookups
fail, or the results do not match, the system uses only the IP address to match entries in the HAT and the
sender is considered as not verified.
incoming mail. This verification is performed prior to the SMTP conversation. The system acquires and
verifies the validity of the remote host’s IP address (that is, the domain) by performing a double DNS
lookup. A double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address of the
connecting host, followed by a forward DNS (A) lookup on the results of the PTR lookup. The appliance
then checks that the results of the A lookup match the results of the PTR lookup. If the PTR or A lookups
fail, or the results do not match, the system uses only the IP address to match entries in the HAT and the
sender is considered as not verified.
Unverified senders are classified into three categories:
•
Connecting host PTR record does not exist in the DNS.
•
Connecting host PTR record lookup fails due to temporary DNS failure.
•
Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
Using the sender group “Connecting Host DNS Verification” settings, you can specify a behavior for
unverified senders (see
unverified senders (see
).
You can enable host DNS verification in the sender group settings for any sender group; however, keep
in mind that adding host DNS verification settings to a sender group means including unverified senders
in that group. That means that spam and other unwanted mail will be included. Therefore, you should
only enable these settings on sender groups that are used to reject or throttle senders. Enabling host DNS
verification on the WHITELIST sender group, for example, would mean that mail from unverified
senders would receive the same treatment as mail from your trusted senders in your WHITELIST
(including bypassing anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow
policy is configured).
in mind that adding host DNS verification settings to a sender group means including unverified senders
in that group. That means that spam and other unwanted mail will be included. Therefore, you should
only enable these settings on sender groups that are used to reject or throttle senders. Enabling host DNS
verification on the WHITELIST sender group, for example, would mean that mail from unverified
senders would receive the same treatment as mail from your trusted senders in your WHITELIST
(including bypassing anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow
policy is configured).
Sender Verification: Envelope Sender
With envelope sender verification, the domain portion of the envelope sender is DNS verified. (Does the
envelope sender domain resolve? Is there an A or MX record in DNS for the envelope sender domain?)
A domain does not resolve if an attempt to look it up in the DNS encounters a temporary error condition
such as a timeout or DNS server failure. On the other hand, a domain does not exist if an attempt to look
it up returns a definitive “domain does not exist” status. This verification takes place during the SMTP
conversation whereas host DNS verification occurs before the conversation begins — it applies to the IP
address of connecting SMTP server.
envelope sender domain resolve? Is there an A or MX record in DNS for the envelope sender domain?)
A domain does not resolve if an attempt to look it up in the DNS encounters a temporary error condition
such as a timeout or DNS server failure. On the other hand, a domain does not exist if an attempt to look
it up returns a definitive “domain does not exist” status. This verification takes place during the SMTP
conversation whereas host DNS verification occurs before the conversation begins — it applies to the IP
address of connecting SMTP server.
In more detail: AsyncOS performs an MX record query for the domain of the sender address. AsyncOS
then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns
“NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent. This
falls into the category of “Envelope Senders whose domain does not exist.” NXDOMAIN can mean that
the root name servers are not providing any authoritative name servers for this domain.
then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns
“NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent. This
falls into the category of “Envelope Senders whose domain does not exist.” NXDOMAIN can mean that
the root name servers are not providing any authoritative name servers for this domain.
However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope Senders whose domain
does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems
looking up the record.
does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems
looking up the record.