Cisco Email Security Appliance

On the ESA, What is the Difference between REJECT and TCPREFUSE?

Document ID: 118007

Updated: Jul 18, 2014

Contributed by Dominic Yip and Enrico Werner, Cisco TAC Engineers.



What is the difference between REJECT and TCPREFUSE?

You can configure your Email Security Appliance (ESA) to restrict connections by adding any of these items to Sender Groups which use Mail Flow Policies:

  • IP range
  • Specific host or domain name
  • SenderBase Reputation Service (SBRS) "organization" classification
  • SBRS score range
  • DNS List query response

Each Mail Flow Policy has an access rule, such as ACCEPT, REJECT, RELAY, CONTINUE, and TCPREFUSE. A host that attempts to establish a connection to your ESA and matches a Sender Group using a TCPREFUSE access rule is not allowed to connect to your ESA. From the standpoint of the sending server, it will appear as if your server is unavailable. Most MTAs will retry frequently in this case, which will create more traffic then answering once with a clear hard bounce, for example, REJECT.

A host that attempts to establish a connection to your ESA and encounters a REJECT will receive a 554 SMTP error (hard bounce).

For most implementations, REJECT is a better policy, because the sending ESA knows instantly that your domain will not accept messages from them. This not only reduces overall load on your appliance, but the sender receives a Non Deliverable Report (NDR) immediately, instead of waiting for the retries to expire, which can take as long as five days for some senders. If the sender was erroneously blocked, this can be useful.

Updated: Jul 18, 2014
Document ID: 118007