The SMTP call-ahead recipient validation feature queries an external SMTP server before accepting
incoming mail for a recipient. Use this feature to validate recipients when you cannot use LDAP Accept
or the Recipient Access Table (RAT). For example, suppose you host mail for many mailboxes, each
using a separate domain, and your LDAP infrastructure does not allow you to query the LDAP server to
validate each recipient. In this case, the Email Security appliance can query the SMTP server and
validate the recipient before continuing the SMTP conversation.

You can use SMTP call-ahead recipient validation in order to reduce processing on messages for invalid
recipients. Typically, a message for an invalid recipient progresses through the work queue before it can
be dropped. Instead, an invalid message can be dropped or bounced during the incoming/receiving part
of the email pipeline without requiring additional processing.

SMTP Call-Ahead Recipient Validation Workflow

When you configure your Email Security appliance for SMTP call-ahead recipient validation, the Email
Security appliance suspends the SMTP conversation with the sending MTA while it “calls ahead” to the
SMTP server to verify the recipient. When the appliance queries the SMTP server, it returns the SMTP
server’s response to the Email Security appliance, and depending on the settings you have configured,
you can accept the mail or drop the connection with a code and custom response.

Figure 23-1

shows the basic workflow of the SMTP call-head validation conversation.