Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

Página de 1138
 
23-36
Cisco AsyncOS 8.5 for Email User Guide
 
Chapter 23      LDAP Queries
  Configuring AsyncOS for SMTP Authentication
Figure 23-13
Selecting an SMTP Authentication Profile via the Edit Listener page
Once a listener is configured to use the profile, the Host Access Table default settings can be changed 
so that the listener allows, disallows, or requires SMTP Authentication:
Figure 23-14
Enabling SMTP Authentication on a Mail Flow Policy
SMTP Authentication and HAT Policy Settings
Because senders are grouped into the appropriate sender group before the SMTP Authentication 
negotiation begins, Host Access Table (HAT) settings, are not affected. When a remote mail host 
connects, the appliance first determines which sender group applies and imposes the Mail Policy for that 
sender group. For example, if a remote MTA “suspicious.com” is in your SUSPECTLIST sender group, 
the THROTTLE policy will be applied, regardless of the results of “suspicious.com’s” SMTPAUTH 
negotiation.
However, senders that do authenticate using SMTPAUTH are treated differently than “normal” senders. 
The connection behavior for successful SMTPAUTH sessions changes to “RELAY,” effectively 
bypassing the Recipient Access Table (RAT) and LDAPACCEPT. This allows the sender to relay 
messages through the appliance. As stated, any Rate Limiting or throttling that applies will remain in 
effect.
HAT Delayed Rejection
When HAT Delayed Rejection is configured, connections that would get dropped based on the HAT 
Sender Group and Mail Flow Policy configuration can still authenticate successfully and get the RELAY 
mail flow policy granted.
2
1
Number
Description
1.
The SMTP Authentication field provides listener-level control for SMTP 
authentication. If you select “No,” authentication will not be enabled on the listener, 
regardless of any other SMTP authentication settings you configure. 
2.
If “Required” is selected in the second prompt (SMTP Authentication:), no AUTH 
keyword will be issued until TLS is negotiated (after the client issues a second EHLO 
command).