Cisco Cisco Email Security Appliance C160 Mode D'Emploi
3-2
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 3 Setup and Installation
You need to ensure that the Cisco IronPort appliance is both accessible via the public Internet and is the
“first hop” in your email infrastructure. If you allow another MTA to sit at your network’s perimeter and
handle all external connections, then the Cisco IronPort appliance will not be able to determine the
sender’s IP address. The sender’s IP address is needed to identify and distinguish senders in the Mail
Flow Monitor, to query the SenderBase Reputation Service for the sender’s SenderBase Reputation
Score (SBRS), and to improve the efficacy of the Cisco IronPort Anti-Spam and Outbreak Filters
features.
“first hop” in your email infrastructure. If you allow another MTA to sit at your network’s perimeter and
handle all external connections, then the Cisco IronPort appliance will not be able to determine the
sender’s IP address. The sender’s IP address is needed to identify and distinguish senders in the Mail
Flow Monitor, to query the SenderBase Reputation Service for the sender’s SenderBase Reputation
Score (SBRS), and to improve the efficacy of the Cisco IronPort Anti-Spam and Outbreak Filters
features.
Note
If you cannot configure the appliance as the first machine receiving email from the Internet, you can still
exercise some of the security services available on the appliance. Refer to
exercise some of the security services available on the appliance. Refer to
for more information.
When you use the Cisco IronPort appliance as your SMTP gateway:
•
The Mail Flow Monitor feature (see “Using Email Security Monitor” in the Cisco IronPort AsyncOS
for Email Daily Management Guide) offers complete visibility into all email traffic for your
enterprise from both internal and external senders.
for Email Daily Management Guide) offers complete visibility into all email traffic for your
enterprise from both internal and external senders.
•
LDAP queries (“LDAP Queries” in the Cisco IronPort AsyncOS for Email Advanced Configuration
Guide) for routing, aliasing, and masquerading can consolidate your directory infrastructure and
provide for simpler updates.
Guide) for routing, aliasing, and masquerading can consolidate your directory infrastructure and
provide for simpler updates.
•
Familiar tools like alias tables (“Creating Alias Tables” in the Cisco IronPort AsyncOS for Email
Advanced Configuration Guide), domain-based routing (“The Domain Map Feature” in the Cisco
IronPort AsyncOS for Email Advanced Configuration Guide), and masquerading (“Configuring
Masquerading” in the Cisco IronPort AsyncOS for Email Advanced Configuration Guide) make the
transition from Open-Source MTAs easier.
Advanced Configuration Guide), domain-based routing (“The Domain Map Feature” in the Cisco
IronPort AsyncOS for Email Advanced Configuration Guide), and masquerading (“Configuring
Masquerading” in the Cisco IronPort AsyncOS for Email Advanced Configuration Guide) make the
transition from Open-Source MTAs easier.
Register the Cisco IronPort Appliance in DNS
Malicious email senders actively search public DNS records to hunt for new victims. You need to ensure
that the Cisco IronPort appliance is registered in DNS, if you want to utilize the full capabilities of Cisco
IronPort Anti-Spam, Outbreak Filters, McAfee Antivirus and Sophos Anti-Virus. To register the Cisco
IronPort appliance in DNS, create an A record that maps the appliance’s hostname to its IP address, and
an MX record that maps your public domain to the appliance’s hostname. You must specify a priority
for the MX record to advertise the Cisco IronPort appliance as either a primary or backup MTA for your
domain.
that the Cisco IronPort appliance is registered in DNS, if you want to utilize the full capabilities of Cisco
IronPort Anti-Spam, Outbreak Filters, McAfee Antivirus and Sophos Anti-Virus. To register the Cisco
IronPort appliance in DNS, create an A record that maps the appliance’s hostname to its IP address, and
an MX record that maps your public domain to the appliance’s hostname. You must specify a priority
for the MX record to advertise the Cisco IronPort appliance as either a primary or backup MTA for your
domain.
In the following example, the Cisco IronPort appliance (ironport.example.com) is a backup MTA for the
domain example.com, since its MX record has a higher priority value (20). In other words, the higher
the numeric value, the lower the priority of the MTA.
domain example.com, since its MX record has a higher priority value (20). In other words, the higher
the numeric value, the lower the priority of the MTA.
By registering the Cisco IronPort appliance in DNS, you will attract spam attacks regardless of how you
set the MX record priority. However, virus attacks rarely target backup MTAs. Given this, if you want
to evaluate an anti-virus engine to its fullest potential, configure the Cisco IronPort appliance to have an
MX record priority of equal or higher value than the rest of your MTAs.
set the MX record priority. However, virus attacks rarely target backup MTAs. Given this, if you want
to evaluate an anti-virus engine to its fullest potential, configure the Cisco IronPort appliance to have an
MX record priority of equal or higher value than the rest of your MTAs.
$ host -t mx example.com
example.com mail is handled (pri=10) by mail.example.com
example.com mail is handled (pri=20) by ironport.example.com