Cisco Cisco Email Security Appliance X1070 Guia De Informação

Contributed by Cisco TAC Engineers.

Oct 14, 2014

This document describes how to alter the entry in the Host Access Table (HAT) or add an IP address to solve
the issue.

From the Cisco Email Security Appliance (ESA), there are times when you have added the domain
example.com to your WHITELIST sender group, but when you receive mail from example.com the message is
not treated in this sender group.

Simply adding a domain name to the HAT will not work, as the HAT is matching hostnames and IP
addresses and not sender domain names.  Remember, you are configuring a HOST Access Table, not a
DOMAIN access table.

Ensure, by looking at the mail logs of the ESA, that the sender that needs to be whitelisted has a hostname that
ends with the domain example.com.  If so, alter your entry in the HAT from 'example.com' to '.example.com'.

This entry will then match all hostnames which DNS PTR record ends with example.com. 

For instance it will match mx0.example.com as well as cluster1.mx1.example.com. 

The system acquires and verifies the validity of the remote host's IP address by performing a double DNS
lookup. This consists of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a
forward DNS (A) lookup on the results of the PTR lookup. The system then checks that the results of the A
lookup match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the
system only uses the IP address to match entries in the HAT.

If the hostname does not end with example.com, you can also add the IP address directly to the HAT.  You
can find the IP address of the connecting mail server in the mail logs as well.