Cisco Cisco Email Security Appliance C160 Mode D'Emploi
7-24
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)
SenderBase Settings and Mail Flow Policies
HAT Significant Bits Feature
Beginning with the 3.8.3 release of AsyncOS, you can track and rate limit incoming mail on a per-IP
address basis while managing sender group entries in a listener’s Host Access Table (HAT) in large
CIDR blocks. For example, if an incoming connection matched against the host “10.1.1.0/24,” a counter
could still be generated for each individual address within that range, rather than aggregating all traffic
into one large counter.
address basis while managing sender group entries in a listener’s Host Access Table (HAT) in large
CIDR blocks. For example, if an incoming connection matched against the host “10.1.1.0/24,” a counter
could still be generated for each individual address within that range, rather than aggregating all traffic
into one large counter.
Note
In order for the significant bits HAT policy option to take effect, you must not enable “User SenderBase”
in the Flow Control options for the HAT (or, for the CLI, answer
in the Flow Control options for the HAT (or, for the CLI, answer
no
to the question for enabling the
SenderBase Information Service in the
listenerconfig
-> setup command: “Would you like to enable
SenderBase Reputation Filters and IP Profiling support?”). That is, the Hat Significant Bits feature and
enabling SenderBase IP Profiling support are mutually exclusive.
enabling SenderBase IP Profiling support are mutually exclusive.
In most cases, you can use this feature to define sender groups broadly — that is, large groups of IP
addresses such as “10.1.1.0/24” or “10.1.0.0/16” — while applying mail flow rate limiting narrowly to
smaller groups of IP addresses.
addresses such as “10.1.1.0/24” or “10.1.0.0/16” — while applying mail flow rate limiting narrowly to
smaller groups of IP addresses.
The HAT Significant Bits feature corresponds to these components of the system:
•
•
•
HAT Configuration
There are two parts of HAT configuration: sender groups and mail flow policies. Sender group
configuration defines how a sender's IP address is “classified” (put in a sender group). Mail flow policy
configuration defines how the SMTP session from that IP address is controlled. When using this feature,
an IP address may be “classified in a CIDR block” (e.g. 10.1.1.0/24) sender group while being controlled
as an individual host (/32). This is done via the “signficant_bits” policy configuration setting.
configuration defines how a sender's IP address is “classified” (put in a sender group). Mail flow policy
configuration defines how the SMTP session from that IP address is controlled. When using this feature,
an IP address may be “classified in a CIDR block” (e.g. 10.1.1.0/24) sender group while being controlled
as an individual host (/32). This is done via the “signficant_bits” policy configuration setting.
Significant Bits HAT Policy Option
The HAT syntax allows for the signficant_bits configuration option. This feature appears in the GUI in
the Mail Policies > Mail Flow Policies page.
the Mail Policies > Mail Flow Policies page.
When the option to use SenderBase for flow control is set to “OFF” or Directory Harvest Attack
Prevention is enabled, the “significant bits” value is applied to the connecting sender’s IP address, and
the resulting CIDR notation is used as the token for matching defined sender groups within the HAT.
Any rightmost bits that are covered by the CIDR block are “zeroed out” when constructing the string.
Thus, if a connection from the IP address 1.2.3.4 is made and matches on a policy with the
significant_bits option set to 24, the resultant CIDR block would be 1.2.3.0/24. So by using this feature,
the HAT sender group entry (for example, 10.1.1.0/24) can have a different number of network
significant bits (24) from the significant bits entry in the policy assigned to that group (32, in the
example).
Prevention is enabled, the “significant bits” value is applied to the connecting sender’s IP address, and
the resulting CIDR notation is used as the token for matching defined sender groups within the HAT.
Any rightmost bits that are covered by the CIDR block are “zeroed out” when constructing the string.
Thus, if a connection from the IP address 1.2.3.4 is made and matches on a policy with the
significant_bits option set to 24, the resultant CIDR block would be 1.2.3.0/24. So by using this feature,
the HAT sender group entry (for example, 10.1.1.0/24) can have a different number of network
significant bits (24) from the significant bits entry in the policy assigned to that group (32, in the
example).
For more information on
listenerconfig
command, see the CLI Reference Guide for AsyncOS for Cisco
Email Security Appliances.