Cisco Cisco Email Security Appliance X1070 トラブルシューティングガイド
On the ESA, What is the Difference between
REJECT and TCPREFUSE?
REJECT and TCPREFUSE?
Document ID: 118007
Contributed by Dominic Yip and Enrico Werner, Cisco TAC Engineers.
Jul 18, 2014
Jul 18, 2014
Contents
Question
Question
What is the difference between REJECT and TCPREFUSE?
You can configure your Email Security Appliance (ESA) to restrict connections by adding any of these items
to Sender Groups which use Mail Flow Policies:
to Sender Groups which use Mail Flow Policies:
IP range
•
Specific host or domain name
•
SenderBase Reputation Service (SBRS) "organization" classification
•
SBRS score range
•
DNS List query response
•
Each Mail Flow Policy has an access rule, such as ACCEPT, REJECT, RELAY, CONTINUE, and
TCPREFUSE. A host that attempts to establish a connection to your ESA and matches a Sender Group using
a TCPREFUSE access rule is not allowed to connect to your ESA. From the standpoint of the sending server,
it will appear as if your server is unavailable. Most MTAs will retry frequently in this case, which will create
more traffic then answering once with a clear hard bounce, for example, REJECT.
TCPREFUSE. A host that attempts to establish a connection to your ESA and matches a Sender Group using
a TCPREFUSE access rule is not allowed to connect to your ESA. From the standpoint of the sending server,
it will appear as if your server is unavailable. Most MTAs will retry frequently in this case, which will create
more traffic then answering once with a clear hard bounce, for example, REJECT.
A host that attempts to establish a connection to your ESA and encounters a REJECT will receive a 554
SMTP error (hard bounce).
SMTP error (hard bounce).
For most implementations, REJECT is a better policy, because the sending ESA knows instantly that your
domain will not accept messages from them. This not only reduces overall load on your appliance, but the
sender receives a Non Deliverable Report (NDR) immediately, instead of waiting for the retries to expire,
which can take as long as five days for some senders. If the sender was erroneously blocked, this can be
useful.
domain will not accept messages from them. This not only reduces overall load on your appliance, but the
sender receives a Non Deliverable Report (NDR) immediately, instead of waiting for the retries to expire,
which can take as long as five days for some senders. If the sender was erroneously blocked, this can be
useful.
Updated: Jul 18, 2014
Document ID: 118007