Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
7-28
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)
Verifying Senders
Verifying Senders
Spam and unwanted mail is frequently sent by senders whose domains or IP addresses cannot be resolved
by DNS. DNS verification means that you can get reliable information about senders and process mail
accordingly. Sender verification prior to the SMTP conversation (connection filtering based on DNS
lookups of the sender’s IP address) also helps reduce the amount of junk email processed through the
mail pipeline on the appliance.
by DNS. DNS verification means that you can get reliable information about senders and process mail
accordingly. Sender verification prior to the SMTP conversation (connection filtering based on DNS
lookups of the sender’s IP address) also helps reduce the amount of junk email processed through the
mail pipeline on the appliance.
Mail from unverified senders is not automatically discarded. Instead, AsyncOS provides sender
verification settings that allow you to determine how the appliance handles mail from unverified senders:
you can configure your appliance to automatically block all mail from unverified senders prior to the
SMTP conversation or throttle unverified senders, for example.
verification settings that allow you to determine how the appliance handles mail from unverified senders:
you can configure your appliance to automatically block all mail from unverified senders prior to the
SMTP conversation or throttle unverified senders, for example.
The sender verification feature consists of the following components:
•
Verification of the connecting host. This occurs prior to the SMTP conversation. For more
information, see
information, see
.
•
Verification of the domain portion of the envelope sender. This occurs during the SMTP
conversation. For more information, see
conversation. For more information, see
.
Related Topics
•
•
•
•
•
•
Sender Verification: Host
Senders can be unverified for different reasons. For example, the DNS server could be “down” or not
responding, or the domain may not exist. Host DNS verification settings for sender groups allow you to
classify unverified senders prior to the SMTP conversation and include different types of unverified
senders in your various sender groups.
responding, or the domain may not exist. Host DNS verification settings for sender groups allow you to
classify unverified senders prior to the SMTP conversation and include different types of unverified
senders in your various sender groups.
The appliance attempts to verify the sending domain of the connecting host via DNS for incoming mail.
This verification is performed prior to the SMTP conversation. The system acquires and verifies the
validity of the remote host’s IP address (that is, the domain) by performing a double DNS lookup. A
double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address of the connecting host,
followed by a forward DNS (A) lookup on the results of the PTR lookup. The appliance then checks that
the results of the A lookup match the results of the PTR lookup. If the PTR or A lookups fail, or the
results do not match, the system uses only the IP address to match entries in the HAT and the sender is
considered as not verified.
This verification is performed prior to the SMTP conversation. The system acquires and verifies the
validity of the remote host’s IP address (that is, the domain) by performing a double DNS lookup. A
double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address of the connecting host,
followed by a forward DNS (A) lookup on the results of the PTR lookup. The appliance then checks that
the results of the A lookup match the results of the PTR lookup. If the PTR or A lookups fail, or the
results do not match, the system uses only the IP address to match entries in the HAT and the sender is
considered as not verified.
Unverified senders are classified into the following categories:
•
Connecting host PTR record does not exist in the DNS.
•
Connecting host PTR record lookup fails due to temporary DNS failure.
•
Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).