37
5-57
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter5 Configuring the Gateway to Receive Email
Using the sender group “Connecting Host DNS Verification” settings, you can
specify a behavior for unverified senders (see Implementing Host Sender
Verification for the SUSPECTLIST Sender Group, page 5-61).
You can enable host DNS verification in the sender group settings for any sender
group; however, keep in mind that adding host DNS verification settings to a
sender group means including unverified senders in that group. That means that
spam and other unwanted mail will be included. Therefore, you should only
enable these settings on sender groups that are used to reject or throttle senders.
Enabling host DNS verification on the WHITELIST sender group, for example,
would mean that mail from unverified senders would receive the same treatment
as mail from your trusted senders in your WHITELIST (including bypassing
anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow
policy is configured).
Sender Verification: Envelope Sender
With envelope sender verification, the domain portion of the envelope sender is
DNS verified. (Does the envelope sender domain resolve? Is there an A or MX
record in DNS for the envelope sender domain?) A domain does not resolve if an
attempt to look it up in the DNS encounters a temporary error condition such as a
timeout or DNS server failure. On the other hand, a domain does not exist if an
attempt to look it up returns a definitive “domain does not exist” status. This
verification takes place during the SMTP conversation whereas host DNS
verification occurs before the conversation begins — it applies to the IP address
of connecting SMTP server.
In more detail: AsyncOS performs an MX record query for the domain of the
sender address. AsyncOS then performs an A record lookup based on the result of
the MX record lookup. If the DNS server returns “NXDOMAIN” (there is no
record for this domain), AsyncOS treats that domain as non-existent. This falls
into the category of “Envelope Senders whose domain does not exist.”
NXDOMAIN can mean that the root name servers are not providing any
authoritative name servers for this domain.
However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope
Senders whose domain does not resolve.” SERVFAIL means that the domain does
exist but DNS is having transient problems looking up the record.
47
Chapter5 Configuring the Gateway to Receive Email
5-58
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
A common technique for spammers or other illegitimate senders of mail is to
forge the MAIL FROM information (in the envelope sender) so that mail from
unverified senders that is accepted will be processed. This can lead to problems
as bounce messages sent to the MAIL FROM address are undeliverable. Using
envelope sender verification, you can configure your Cisco IronPort appliance to
reject mail with malformed (but not blank) MAIL FROMs.
For each mail flow policy, you can:
•
Enable envelope sender DNS verification.
•
Offer custom SMTP code and response for malformed envelope sender.
Malformed envelope senders are blocked if you have enabled envelope sender
DNS verification.
•
Offer custom response for envelope sender domains which do not resolve.
•
Offer custom response for envelope sender domains which do not exist in
DNS.
You can use the sender verification exception table to store a list of domains or
addresses from which mail will be automatically allowed or rejected (see Sender
Verification Exception Table, page 5-59). The sender verification exception table
can be enabled independently of Envelope Sender verification. So, for example,
you can still reject special addresses or domains specified in the exception table
without enabling envelope sender verification. You can also always allow mail
from internal or test domains, even if they would not otherwise be verified.
Though most spam is from unverifiable senders, there are reasons why you might
want to accept mail from an unverified sender. For example, not all legitimate
email can be verified through DNS lookups — a temporary DNS server problem
can stop a sender from being verified.
When mail from unverified senders is attempted, the sender verification exception
table and mail flow policy envelope sender DNS verification settings are used to
classify envelope senders during the SMTP conversation. For example, you may
accept and throttle mail from sending domains that are not verified because they
do not exist in DNS. Once that mail is accepted, messages with malformed MAIL
FROMs are rejected with a customizable SMTP code and response. This occurs
during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain
exception table) in the mail flow policy settings for any mail flow policy via the
GUI or the CLI (
listenerconfig -> edit -> hostaccess -> <
policy
>
).
38
5-59
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter5 Configuring the Gateway to Receive Email
Partial Domains, Default Domains, and Malformed MAIL FROMs
If you enable envelope sender verification or disable allowing partial domains in
SMTP Address Parsing options for a listener (see the SMTP Address Parsing
Options section in “Customizing Listeners” in the Cisco IronPort AsyncOS for
Email Advanced Configuration Guide), the default domain settings for that
listener will no longer be used.
These features are mutually exclusive.
Custom SMTP Code and Response
You can specify the SMTP code and response message for messages with
malformed envelope senders, for envelope senders which do not exist in DNS, and
for envelope senders which do not resolve via DNS queries (DNS server might be
down, etc.).
In the SMTP response, you can include a variable,
$EnvelopeSender
, which is
expanded to the value of the envelope sender when the custom response is sent.
While typically a “Domain does not exist” result is permanent, it is possible for
this to be a transient condition. To handle such cases, “conservative” users may
wish to change the error code from the default 5XX to a 4XX code.
Sender Verification Exception Table
The sender verification exception table is a list of domains or email addresses that
will either be automatically allowed or rejected during the SMTP conversation.
You can also specify an optional SMTP code and reject response for rejected
domains. There is only one sender verification exception table per Cisco IronPort
appliance and it is enabled per mail flow policy.
The sender verification exception table can be used to list obviously fake but
correctly formatted domains or email addresses from which you want to reject
mail. For example, the correctly formatted MAIL FROM:
pres@whitehouse.gov
could be listed in the sender verification exception table and set to be
automatically rejected. You can also list domains that you want to automatically
allow, such as internal or test domains. This is similar to envelope recipient
(SMTP RCPT TO command) processing which occurs in the Recipient Access
Table (RAT).
27
Chapter5 Configuring the Gateway to Receive Email
5-60
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
The sender verification exception table is defined in the GUI via the Mail Policies
> Exception Table page (or the CLI, via the
exceptionconfig
command) and then
is enabled on a per-policy basis via the GUI (see Implementing Sender
Verification for the ACCEPTED Mail Flow Policy, page 5-65) or the CLI (see the
Cisco IronPort AsyncOS CLI Reference Guide.
Entries in the sender verification exception table have the following syntax:
Figure 5-27
Exception Table Listing
See Creating the Sender Verification Exception Table via the GUI, page5-66 for
more information about modifying the exception table.
Implementing Sender Verification — Example Settings
This section provides an example of a typical conservative implementation of host
and envelope sender verification.
For this example, when implementing host sender verification, mail from
connecting hosts for which reverse DNS lookup does not match is throttled via the
existing SUSPECTLIST sender group and THROTTLED mail flow policy.
A new sender group (UNVERIFIED) and a new mail flow policy
(THROTTLEMORE) are created. Mail from connecting hosts which are not
verified will be throttled (using the UNVERIFIED sender group and the more
aggressive THROTTLEMORE mail flow policy) prior to the SMTP conversation.
Envelope sender verification is enabled for the ACCEPTED mail flow policy.
30
5-61
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter5 Configuring the Gateway to Receive Email
Table 5-15 shows the suggested settings for implementing sender verification:
Implementing Host Sender Verification for the SUSPECTLIST Sender Group
In the GUI, click HAT Overview on the Mail Policies tab. A list of existing sender
groups is displayed. To enable and configure host DNS verification for the
SUSPECTLIST sender group:
Step 1
On the HAT Overview page, click SUSPECTLIST in the list of sender groups.
Table 5-15
Sender Verification: Suggested Settings
Sender Group
Policy
Include
UNVERIFIED
SUSPECTLIST
THROTTLEMORE
THROTTLED
Prior to SMTP conversation:
Connecting host PTR record does not exist in the DNS.
Connecting host reverse DNS lookup (PTR) does not
match the forward DNS lookup (A).
ACCEPTED
Envelope Sender Verification during SMTP
conversation:
- Malformed MAIL FROM:
- Envelope sender does not exist in DNS.
- Envelope sender DNS does not resolve.
12
Chapter5 Configuring the Gateway to Receive Email
5-62
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Figure 5-28
HAT Overview Page
Step 2
The Sender Group: SUSPECTLIST page is displayed:
Figure 5-29
Sender Group: SUSPECTLIST
Step 3
Click Edit Settings The Edit Settings dialog is displayed:
Documents you may be interested
Documents you may be interested
