Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
7-27
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)
Verifying Senders
In more detail: AsyncOS performs an MX record query for the domain of the sender address. AsyncOS
then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns
“NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent. This
falls into the category of “Envelope Senders whose domain does not exist.” NXDOMAIN can mean that
the root name servers are not providing any authoritative name servers for this domain.
then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns
“NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent. This
falls into the category of “Envelope Senders whose domain does not exist.” NXDOMAIN can mean that
the root name servers are not providing any authoritative name servers for this domain.
However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope Senders whose domain
does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems
looking up the record.
does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems
looking up the record.
A common technique for spammers or other illegitimate senders of mail is to forge the MAIL FROM
information (in the envelope sender) so that mail from unverified senders that is accepted will be
processed. This can lead to problems as bounce messages sent to the MAIL FROM address are
undeliverable. Using envelope sender verification, you can configure your appliance to reject mail with
malformed (but not blank) MAIL FROMs.
information (in the envelope sender) so that mail from unverified senders that is accepted will be
processed. This can lead to problems as bounce messages sent to the MAIL FROM address are
undeliverable. Using envelope sender verification, you can configure your appliance to reject mail with
malformed (but not blank) MAIL FROMs.
For each mail flow policy, you can:
•
Enable envelope sender DNS verification.
•
Offer custom SMTP code and response for malformed envelope sender. Malformed envelope
senders are blocked if you have enabled envelope sender DNS verification.
senders are blocked if you have enabled envelope sender DNS verification.
•
Offer custom response for envelope sender domains which do not resolve.
•
Offer custom response for envelope sender domains which do not exist in DNS.
You can use the sender verification exception table to store a list of domains or addresses from which
mail will be automatically allowed or rejected (see
mail will be automatically allowed or rejected (see
). The
sender verification exception table can be enabled independently of Envelope Sender verification. So,
for example, you can still reject special addresses or domains specified in the exception table without
enabling envelope sender verification. You can also always allow mail from internal or test domains,
even if they would not otherwise be verified.
for example, you can still reject special addresses or domains specified in the exception table without
enabling envelope sender verification. You can also always allow mail from internal or test domains,
even if they would not otherwise be verified.
Though most spam is from unverifiable senders, there are reasons why you might want to accept mail
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
from an unverified sender. For example, not all legitimate email can be verified through DNS lookups
— a temporary DNS server problem can stop a sender from being verified.
When mail from unverified senders is attempted, the sender verification exception table and mail flow
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
policy envelope sender DNS verification settings are used to classify envelope senders during the SMTP
conversation. For example, you may accept and throttle mail from sending domains that are not verified
because they do not exist in DNS. Once that mail is accepted, messages with malformed MAIL FROMs
are rejected with a customizable SMTP code and response. This occurs during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain exception table) in the mail flow
policy settings for any mail flow policy via the GUI or the CLI (
policy settings for any mail flow policy via the GUI or the CLI (
listenerconfig -> edit ->
hostaccess -> <
policy
>
).
Related Topics
•
•
•
Partial Domains, Default Domains, and Malformed MAIL FROMs
If you enable envelope sender verification or disable allowing partial domains in SMTP Address Parsing
options for a listener (see the SMTP Address Parsing Options section in the “Configuring the Gateway
to Receive Email” chapter), the default domain settings for that listener will no longer be used.
options for a listener (see the SMTP Address Parsing Options section in the “Configuring the Gateway
to Receive Email” chapter), the default domain settings for that listener will no longer be used.