The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure bounce verification on the Cisco Email Security Appliance (ESA).
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these hardware and software versions:
Cisco ESA, all versions of AsyncOS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This section provides an overview of tagging and bounce verification on the ESA.
Bounce Verification Overview
When an email is sent with bounce verification enabled, your ESA rewrites the Envelope Sender address in the message. For example, MAIL FROM: email@example.com becomes MAIL FROM: prvs=joe=123ABCDEFG@example.com. The 123... string in the example is the bounce verification tag that is added to the Envelope Sender as it is sent by your appliance. If the message bounces, the Envelope Recipient address in the bounce typically includes the bounce verification tag.
Note: Refer to the Configuring Bounce Verification Address Tagging Keys section of the Advanced User Guide for additional details.
You can enable or disable bounce verification tagging system-wide as a default. You can also enable or disable bounce verification tagging for specific domains. In most situations, you enable it by default, and then list specific domains for exclusion in the Destination Controls table.
When a Content Security appliance delivers a bounce message that already contains a tagged address to another Content Security appliance inside the De-Militarized Zone (DMZ), then AsyncOS does not add another tag.
Caution: If you enable bounce verification, it might cause your appliances to reject legitimate mail that is sent with a blank Envelope Sender.
How do I configure bounce verification on the ESA?
Complete these steps in order to configure bounce verification on the ESA:
Navigate to Mail Policies > Bounce Verification and enter a tagging key manually with a random selection of numbers and letters, such as 4r5t6y7u.
Edit the bounce verification settings:
Navigate to Mail Policies > Destination Controls and enable bounce verification.
Choose Default from the Domain field (or your custom destination).
Once the Default window opens and the Bounce Verification section appears, click Yes.
Ensure that untagged (misdirected) bounces are blocked:
Navigate to Mail Policies > Mail Flow Policies.
Select the appropriate policy and locate the Security Features section.
Ensure that the Evaluate Untagged Bounces value is set to No. On earlier versions of AsyncOS, the Accept Untagged Bounces value should be set to No.